[systemd-devel] setroubleshoot integration.

Daniel J Walsh dwalsh at redhat.com
Wed Jan 9 14:03:03 PST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2013 04:52 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Wed, Jan 09, 2013 at 02:58:12PM -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 01/09/2013 02:49 PM, Lennart Poettering wrote:
>>> On Wed, 09.01.13 17:44, Zbigniew Jędrzejewski-Szmek
>>> (zbyszek at in.waw.pl) wrote:
>>> 
>>>>> systemctl httpd status .... SELinux is blocking httpd read access
>>>>> on /var/www/index.html setroubleshoot ... run restorecon 
>>>>> /var/www/index.html
>>>>> 
>>>>> The only way for systemd to know the setroubleshoot analysys is
>>>>> for httpd is to include the pid when setroubleshoot writes the
>>>>> journal.
>>>> Hi,
>>>> 
>>>> the way that finding messages pertaining to a certain service works 
>>>> currently is encoded in src/share/logs-show.c, function 
>>>> show_journal_by_unit: - journald adds _SYSTEMD_UNIT=... when it can
>>>> to messages generated by the services themselves - systemd (PID 1)
>>>> writes messages about services with UNIT=... and journalds tags them
>>>> with _PID=1 - COREDUMP writes messages with COREDUMP_UNIT=...
>>>> 
>>>> I think it would be realitively to extend show_journal_by_unit() to 
>>>> check for messages with _SYSTEMD_UNIT=setroubleshootd.service (or 
>>>> whatever) and UNIT=... Would this work for you? This would require 
>>>> setroubleshootd to find out the unit name on its own. Actually, this 
>>>> might be for the better, since by the time that journald gets the 
>>>> message, the PID might be long gone, and setroubleshootd has more 
>>>> knowledge.
>>> 
>>> Oh, uhm, I was envisioning a much simpler, more generic solution for
>>> this. Something as simple as this:
>>> 
>>> We'd define a new special field OBJECT_PID. If this is included in a 
>>> message, and that message comes from a privileged service, then
>>> journald will automatically add in OBJECT_EXE, OBJECT_UID, OBJECT_COMM,
>>> OBJECT_UNIT ... from /proc.
> OK, that would work too. How is "a privileged service" defined?
> 
> Zbyszek
> 
UID=0 for now I would guess, until I hack into it with SELinux...

>>> That way, all setroubleshoot would have to do is add this one property
>>> to its messages, and systemd would do the rest. In fact, not only 
>>> setroubleshoot could make use of that. For example, PolicyKit might
>>> too. Much like setroubleshoot it needs to log messages about specific
>>> processes (in this case clients), and could benefit from implicit
>>> augmentation of the message by journald.
>>> 
>>> Eventually we might want to add the same for OBJECT_DEVICE or so, in
>>> case device managers want to logs things about devices or so.
>>> 
>>> Implementation of this scheme on the systemd side should be fairly
>>> simple, but even more so on the setroubleshoot side.
>>> 
>>> Does this make sense?
>>> 
>>> Lennart
>>> 
>> I like the idea, (Less work for me. )

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDt6RYACgkQrlYvE4MpobPgggCdG7oEeE709xl9qG7PzoEzChwi
UZIAoL4CQkLOFpsM8Y1szdGHA5uWOeF8
=X7fb
-----END PGP SIGNATURE-----

More information about the systemd-devel mailing list