sealert(8) sealert(8)
NAME
sealert - setroubleshoot client tool
SYNOPSIS
sealert [-b] [-h] [-s] [-S] [-l id] [-a file] [-v] [-V] [-u] [-p]
DESCRIPTION
This manual page describes the sealert program.
sealert is the user interface component (either GUI or command line) to
the setroubleshoot system. setroubleshoot is used to diagnose SELinux
denials and attempts to provide user friendly explanations for a
SELinux denial (e.g. AVC) and recommendations for how one might adjust
the system to prevent the denial in the future.
In a standard configuration setroubleshoot is composed of two compo-
nents, setroubleshootd and sealert.
setroubleshootd is a system daemon which runs with root privileges and
listens for audit events emitted from the kernel related to SELinux.
When the setroubleshootd daemon sees an SELinux AVC denial it runs a
series of analysis plugins which examines the audit data related to the
AVC. It records the results of the analysis and signals any clients
which have attached to the setroubleshootd daemon that a new alert has
been seen.
sealert can be run in either a GUI mode or a command line mode. In both
instances sealert run as a user process with the privileges associated
with the user. In GUI mode it attaches to a setroubleshootd server
instance and listens for notifications of new alerts. By default the
setroubleshootd server instance is the one on the local machine, how-
ever one can connect via TCP to another server instance on another
machine. When a new alert arrives it alerts the desktop user via a
notification in the status icon area. The user may then click on the
alert notification which will open an alert browser. In addition to the
current alert sealert communicates with the setroubleshootd daemon to
access all prior alerts stored in the setroubleshoot database.
The user may elect to tag any given alert as being "silent" in the
browser which prevents any future notification for the given alert.
This is useful when a user is already aware of a reoccurring problem.
Alerts may be deleted in the browser by selecting one or more alerts
and using the menu item to mark them for deletion. The marked alerts
are not actually deleted until the user selects the command to delete
all alerts marked for deletion. This is analogous to many popular IMAP
email clients. The user may elect to hide in the browser alerts marked
for deletion and/or alerts which have been marked as silent, this helps
keep the browser less cluttered.
In addition to alerts provided by the setroubleshoot daemon the "Scan
Logfile" menu item provides the user with the ability to scan a log
file which may contain audit messages, run the same analysis on the
audit messages as the setroubleshootd daemon would done and then browse
the alerts generated by the log file scan. The user may switch back and
forth between "audit" alerts from the daemon and "logfile" alerts gen-
erated by the scan.
sealert may also be run in command line mode. The two most useful com-
mand line options are -l to "lookup" an alert ID and -a to "analyze" a
log file. When setroubleshootd generates a new alert it assigns it a
local ID and writes this as a syslog message. The -l lookup option may
then be used to retrieve the alert from the setroubleshootd alert
database and write it to stdout. This is most useful when setrou-
bleshootd is being run on a headless system without the GUI desktop
alert facility. The -a analyze option is equivalent to the "Scan Log-
file" command in the browser. The log file is scanned for audit mes-
sages, analysis is performed, alerts generated, and then written to
stdout. In both cases the -H option can be used to cause the alert to
be written out in HTML format rather than the default plain text.
LOG FILE SCANNING
You may ask sealert to parse a file accumulating all the audit messages
it finds in that file. As each audit event is recognized it is pre-
sented for analysis which may generate an alert report if the analysis
was successful. If the same type of event is seen multiple times
resulting in the same report the results are coalesced into a single
report. The report count field will indicate the number of times the
tool thought it saw the same issue. The report will also include a list
of every line number on which it found an audit record which con-
tributed to the coalesced report. This will allow you to coordinate the
contents of the file with the analysis results if need be.
Log file scanning may be initiated from the sealert browser via the
File::ScanLogFile menu or from the command line via ’sealert -a file-
name’. Please note that sealert runs as a user level process with the
permissions of the user running it. Many system log files are readable
by root only. To work around this if you have root access one can copy
the file as root to a temporary file and change it’s permissions. This
is a good solution when scanning via the GUI as a normal user. Or you
might consider su’ing to root and run the analysis via the command line
(e.g. sealert -a filename).
The audit records in the log file must be valid syntactically correct
audit messages or the parser will ignore them.
If you use the GUI browser to scan a log file you should be aware the
browser can track and display alert reports from two simultaneous
sources, either the alerts from the setroubleshootd server which is
connected to the audit system or the alert reports from a log file
scan. The View menu has entries which allow you to toggle between view-
ing the audit system reports and the scanned file reports.
OPTIONS
-b --browser
Launch the browser
-h --help
Show this message
-H --html_output
Ouput in html, Used with the -a or -l option
-s --service
Start sealert service, Usually used by dbus.
-S --noservice
Start sealert without dbus service as stand alone app
-l --lookupid id
Lookup alert by id, if id is wildcard * then return all alerts
-a --analyze file
Scan a log file, analyze it’s AVC’s
-v --verbose
Start in verbose mode -V --debug Start in debug mode (i.e. very
verbose)
-u --user
logon as user
-b --password
set user password
GUI MENU
Connect To...
Connect to a different setroubleshoot server, browse the alert
from that server’s database.
Scan Logfile...
Scan a log file, then browse alert results from that log file.
Save As...
Save selected alerts in file.
Print...
Print the selected alerts.
Edit Email Alert List...
Edit the list of email addresses which receive alerts via email.
Also allows modifying the conditions under which an email alert
is generated.
Close Close the window.
Select All
Select all alerts in the browser.
Select None
Remove all the alert selections in the browser.
Copy Copy selected text in the detail pane to the clipboard.
Copy Alert
Copy selected alerts in their entirety to clipboard with proper
text formatting.
Mark Delete
Each selected alert will be marked for later deletion.
Undelete
Clear deletion flag from the selected alerts.
Remove Marked Deleted
Permanently delete all alerts marked for deletion.
Hide deleted
Toggle whether deleted alerts appear in the browser list.
Hide quiet
Toggle whether alerts which are flagged as being quiet appear in
the browser list.
Show Toolbar
Toggle the toolbar on/off.
View Audit Alerts
View alerts from audit system (more specifically from whatever
setroubleshoot server the browser is connected to). Note, the
browser can display either alerts from the audit system or
alerts from a log file scan.
View Logfile Scan
View alerts from the last log file scan. Note, the browser can
display either alerts from the audit system or alerts from a log
file scan.
AUTHOR
This man page was written by John Dennis <jdennis@redhat.com> and Dan
Walsh <dwalsh@redhat.com>.
SEE ALSO
selinux(8),
20061121 sealert(8)
