--- setroubleshoot-2.0.12.orig/debian/dirs +++ setroubleshoot-2.0.12/debian/dirs @@ -0,0 +1,3 @@ +usr/bin +usr/sbin +usr/share/setroubleshoot/plugins --- setroubleshoot-2.0.12.orig/debian/rules +++ setroubleshoot-2.0.12/debian/rules @@ -0,0 +1,120 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +include /usr/share/quilt/quilt.make + + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) +CROSS= --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +else +CROSS= --build $(DEB_BUILD_GNU_TYPE) +endif + + + +config.status: patch configure + dh_testdir + # Add here commands to configure the package. +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + ./configure $(CROSS) --prefix=/usr \ + --mandir=\$${prefix}/share/man \ + --infodir=\$${prefix}/share/info \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --libexecdir=\$${prefix}/lib \ + CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs" + + +build: build-stamp + +build-stamp: config.status + dh_testdir + + # Add here commands to compile the package. + $(MAKE) + #docbook-to-man debian/setroubleshoot.sgml > setroubleshoot.1 + + touch $@ + +clean: clean-patched unpatch + +clean-patched: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + [ ! -f Makefile ] || $(MAKE) distclean + rm -f config.sub config.guess + rm -f setroubleshoot.desktop src/setroubleshoot.cfg + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/setroubleshoot. + $(MAKE) DESTDIR=$(CURDIR)/debian/setroubleshoot install + + # remove extra license file + find $(CURDIR)/debian/setroubleshoot -name "COPYING*" -delete + + cp -f setroubleshoot.logrotate debian/ + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples +# dh_install +# dh_installmenu +# dh_installdebconf + dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime + dh_pysupport + dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link +# dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- setroubleshoot-2.0.12.orig/debian/watch +++ setroubleshoot-2.0.12/debian/watch @@ -0,0 +1,11 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +# Recursive directory scanning, starting from +# http://cvs.fedoraproject.org/repo/pkgs/setroubleshoot/ +http://cvs.fedoraproject.org/repo/pkgs/setroubleshoot/setroubleshoot-([\d\.]+).tar.gz\//([a-zA-Z0-9]+)/ setroubleshoot-([\d\.]+).tar.gz --- setroubleshoot-2.0.12.orig/debian/postinst +++ setroubleshoot-2.0.12/debian/postinst @@ -0,0 +1,48 @@ +#!/bin/sh +# postinst script for setroubleshoot +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + # workaround plugins import problem + [ -f /usr/share/setroubleshoot/plugins/__init__.py ] || \ + touch /usr/share/setroubleshoot/plugins/__init__.py + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +echo "Reloading DBus" +invoke-rc.d dbus reload || true + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- setroubleshoot-2.0.12.orig/debian/docs +++ setroubleshoot-2.0.12/debian/docs @@ -0,0 +1,3 @@ +NEWS +README +TODO --- setroubleshoot-2.0.12.orig/debian/compat +++ setroubleshoot-2.0.12/debian/compat @@ -0,0 +1 @@ +7 --- setroubleshoot-2.0.12.orig/debian/postrm +++ setroubleshoot-2.0.12/debian/postrm @@ -0,0 +1,45 @@ +#!/bin/sh +# postrm script for setroubleshoot +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + purge) + rm -rf /var/lib/setroubleshoot + rm -rf /var/log/setroubleshoot + rm -rf /var/run/setroubleshoot + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- setroubleshoot-2.0.12.orig/debian/copyright +++ setroubleshoot-2.0.12/debian/copyright @@ -0,0 +1,21 @@ +This package was debianized by Pierre Chifflier on +Wed, 15 Oct 2008 21:15:36 +0200. + +It was downloaded from https://fedorahosted.org/setroubleshoot + +Upstream Authors: + + John Dennis + Dan Walsh + +Copyright 2006,2007,2008 Red Hat, Inc. + +License: + + This software is distributed under the GNU General Public License + version 2 or later, which can be found at + /usr/share/common-licenses/GPL. + +The Debian packaging is (C) 2008, Pierre Chifflier and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. + --- setroubleshoot-2.0.12.orig/debian/changelog +++ setroubleshoot-2.0.12/debian/changelog @@ -0,0 +1,12 @@ +setroubleshoot (2.0.12-2) unstable; urgency=low + + * Exit gracefully if SElinux is disabled (Closes: #508089) + + -- Pierre Chifflier Mon, 08 Dec 2008 15:40:08 +0100 + +setroubleshoot (2.0.12-1) unstable; urgency=low + + * Initial release (Closes: #471701) + + -- Pierre Chifflier Tue, 04 Nov 2008 15:03:49 +0100 + --- setroubleshoot-2.0.12.orig/debian/pyversions +++ setroubleshoot-2.0.12/debian/pyversions @@ -0,0 +1 @@ +2.4- --- setroubleshoot-2.0.12.orig/debian/setroubleshoot.logrotate +++ setroubleshoot-2.0.12/debian/setroubleshoot.logrotate @@ -0,0 +1,8 @@ +/var/log/setroubleshoot/*.log { + weekly + rotate 2 + missingok + sharedscripts +# postrotate +# endscript +} --- setroubleshoot-2.0.12.orig/debian/control +++ setroubleshoot-2.0.12/debian/control @@ -0,0 +1,41 @@ +Source: setroubleshoot +Section: admin +Priority: extra +Maintainer: Pierre Chifflier +Build-Depends: debhelper (>= 7), + quilt, + autotools-dev, + python, + python-support (>= 0.6), + xdg-utils, + gettext, + intltool, + libxml-parser-perl +Standards-Version: 3.8.0 +Homepage: https://fedorahosted.org/setroubleshoot + +Package: setroubleshoot +Architecture: all +Depends: ${python:Depends}, + dbus, + python-audit, + python-notify, + python-rpm, + python-gtkhtml2 +Recommends: auditd, + policycoreutils, + selinux-policy-default, + setroubleshoot-plugins +Description: Tool to help troubleshoot SELinux problems + Tools to help diagnose SELinux problems. When AVC messages + are generated an alert can be generated that will give information + about the problem and help track its resolution. Alerts can be configured + to user preference. The same tools can be run on existing log files. + . + This package provides the SELinux troubleshoot server, and a graphical + application to analyze AVC messages, and get some hints on possible + solutions. + + + + --- setroubleshoot-2.0.12.orig/debian/setroubleshoot.init +++ setroubleshoot-2.0.12/debian/setroubleshoot.init @@ -0,0 +1,319 @@ +#!/bin/sh +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: setroubleshoot +# Required-Start: $network $local_fs $syslog +# Required-Stop: +# Should-Start: $named +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop SELinux Troubleshooting Daemon +# Description: controls operation of the SELinux Troubleshooting Daemon +# (setroubleshootd) which listens for SELinux AVC denial messages +# analyzes it and provides a friendly interpretation. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/sbin/setroubleshootd # Introduce the server's location here +NAME=setroubleshoot # Introduce the short server's name here +DESC=setroubleshoot # Introduce a short description here +LOGDIR=/var/log/setroubleshoot # Log directory to use + +PIDFILE=/var/run/setroubleshootd.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +# Default options, these can be overriden by the information +# at /etc/default/$NAME +DAEMON_OPTS="" # Additional options given to the server + +DIETIME=10 # Time to wait for the server to die, in seconds + # If this value is set too low you might not + # let some servers to die gracefully and + # 'restart' will not work + +#STARTTIME=2 # Time to wait for the server to start, in seconds + # If this value is set each time the server is + # started (on start or restart) the script will + # stall to try to determine if it is running + # If it is not set and the server takes time + # to setup a pid file the log message might + # be a false positive (says it did not start + # when it actually did) + +LOGFILE=$LOGDIR/$NAME.log # Server logfile +#DAEMONUSER=setroubleshoot # Users to run the daemons as. If this value + # is set start-stop-daemon will chuid the server + +# Include defaults if available +if [ -f /etc/default/$NAME ] ; then + . /etc/default/$NAME +fi + +# Use this if you want the user to explicitly set 'RUN' in +# /etc/default/ +#if [ "x$RUN" != "xyes" ] ; then +# log_failure_msg "$NAME disabled, please adjust the configuration to your needs " +# log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." +# exit 1 +#fi + +# Check that the user exists (if we set a user) +# Does the user exist? +if [ -n "$DAEMONUSER" ] ; then + if getent passwd | grep -q "^$DAEMONUSER:"; then + # Obtain the uid and gid + DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'` + DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'` + else + log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist." + exit 1 + fi +fi + + +set -e + +check_selinux_enabled() { + sestatus=$(sestatus ||: 2>/dev/null) + is_enabled=$(echo $sestatus |grep status |tr " " "\n" |tail -n 1) + + if [ "x$is_enabled" != "xenabled" ]; then + echo "SElinux is disabled, doing nothing" + exit 0 + fi + return 0 +} + +running_pid() { +# Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + # real command line is something like '/usr/bin/python -E /usr/sbin/setroubleshootd' + # so the position of the daemon is 3 + name_position=3 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n $name_position |tail -n 1` + # Is this the expected server + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() { +# Check if the process is running looking at /proc +# (works for all users) + + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +start_server() { +# Start the process using the wrapper + if [ -z "$DAEMONUSER" ] ; then + start_daemon $DAEMON -- $DAEMON_OPTS + errcode=$? + else +# if we are using a daemonuser then change the user id + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --chuid $DAEMONUSER \ + --exec $DAEMON -- $DAEMON_OPTS + errcode=$? + fi + return $errcode +} + +stop_server() { +# Stop the process using the wrapper + if [ -z "$DAEMONUSER" ] ; then + killproc -p $PIDFILE $DAEMON + errcode=$? + else +# if we are using a daemonuser then look for process that match + start-stop-daemon --stop --quiet --pidfile $PIDFILE \ + --user $DAEMONUSER \ + --exec $DAEMON + errcode=$? + fi + + return $errcode +} + +reload_server() { + [ ! -f "$PIDFILE" ] && return 1 + pid=pidofproc $PIDFILE # This is the daemon's pid + # Send a SIGHUP + kill -1 $pid + return $? +} + +force_stop() { +# Force the process to die killing it manually + [ ! -e "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + sleep "$DIETIME"s + if running ; then + kill -9 $pid + sleep "$DIETIME"s + if running ; then + echo "Cannot kill $NAME (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE +} + +case "$1" in + start) + log_daemon_msg "Starting $DESC " "$NAME" + check_selinux_enabled + retcode=$? + if [ "$retcode" != "0" ]; then + log_progress_msg "SELinux is disabled, not starting" + log_end_msg 0 + exit 0 + fi + + # Check if it's running first + if running ; then + log_progress_msg "apparently already running" + log_end_msg 0 + exit 0 + fi + if start_server ; then + # NOTE: Some servers might die some time after they start, + # this code will detect this issue if STARTTIME is set + # to a reasonable value + [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time + if running ; then + # It's ok, the server started and is running + log_end_msg 0 + else + # It is not running after we did start + log_end_msg 1 + fi + else + # Either we could not start it + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + if running ; then + # Only stop the server if we see it running + errcode=0 + stop_server || errcode=$? + log_end_msg $errcode + else + # If it's not running don't do anything + log_progress_msg "apparently not running" + log_end_msg 0 + exit 0 + fi + ;; + force-stop) + # First try to stop gracefully the program + $0 stop + if running; then + # If it's still running try to kill it more forcefully + log_daemon_msg "Stopping (force) $DESC" "$NAME" + errcode=0 + force_stop || errcode=$? + log_end_msg $errcode + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + + check_selinux_enabled + retcode=$? + if [ "$retcode" != "0" ]; then + log_progress_msg "SELinux is disabled, not starting" + log_end_msg 0 + exit 0 + fi + + errcode=0 + stop_server || errcode=$? + # Wait some sensible amount, some server need this + [ -n "$DIETIME" ] && sleep $DIETIME + start_server || errcode=$? + [ -n "$STARTTIME" ] && sleep $STARTTIME + running || errcode=$? + log_end_msg $errcode + ;; + status) + + log_daemon_msg "Checking status of $DESC" "$NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "apparently not running" + log_end_msg 1 + exit 1 + fi + ;; + # Use this if the daemon cannot reload + reload) + log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" + log_warning_msg "cannot re-read the config file (use restart)." + ;; + # And this if it cann + #reload) + # + # If the daemon can reload its config files on the fly + # for example by sending it SIGHUP, do it here. + # + # If the daemon responds to changes in its config file + # directly anyway, make this a do-nothing entry. + # + # log_daemon_msg "Reloading $DESC configuration files" "$NAME" + # if running ; then + # reload_server + # if ! running ; then + # Process died after we tried to reload + # log_progress_msg "died on reload" + # log_end_msg 1 + # exit 1 + # fi + # else + # log_progress_msg "server is not running" + # log_end_msg 1 + # exit 1 + # fi + #;; + + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 + exit 1 + ;; +esac + +exit 0 --- setroubleshoot-2.0.12.orig/debian/README.Debian +++ setroubleshoot-2.0.12/debian/README.Debian @@ -0,0 +1,27 @@ +setroubleshoot for Debian +========================= + +Requirements +------------ + +To work correctly on a single host, the following packages are required:: + + - selinux-basic, selinux-policy-default (with SELinux enabled, in Permissive or Enforcing mode) + - auditd, sending events to /var/run/audispd_events (default auditd config) + - setroubleshoot-plugins + +If you don't have setroubleshoot-plugins installed, you will never get +any alert ! + +These packages are marked as Recommends (and not Depends), because they are +optional in case you are connecting to a remote server. + +Debian specific changes +----------------------- + +setroubleshoot checks the alert context to avoid infinite loops. +However, the check is done by comparing setroubleshootd context to the alert +context, which won't work until a SELinux policy is written for +setroubleshootd (it actually runs as unconfined_t). + + -- Pierre Chifflier Fri, 17 Oct 2008 23:28:28 +0200 --- setroubleshoot-2.0.12.orig/debian/patches/series +++ setroubleshoot-2.0.12/debian/patches/series @@ -0,0 +1 @@ +10_remove_context_check.patch --- setroubleshoot-2.0.12.orig/debian/patches/10_remove_context_check.patch +++ setroubleshoot-2.0.12/debian/patches/10_remove_context_check.patch @@ -0,0 +1,13 @@ +Index: setroubleshoot-2.0.11/src/avc_audit.py +=================================================================== +--- setroubleshoot-2.0.11.orig/src/avc_audit.py 2008-10-17 22:38:31.000000000 +0200 ++++ setroubleshoot-2.0.11/src/avc_audit.py 2008-10-17 22:39:36.000000000 +0200 +@@ -56,7 +56,7 @@ + if avc.scontext.type == None or avc.tcontext.type == None: + return False + +- if my_context.type == avc.scontext.type: ++ if my_context.type == avc.scontext.type and my_context.type == "unconfined_t": + log_program.error( "setroubleshoot generated AVC, exiting to avoid recursion, context=%s, AVC scontext=%s", my_context, avc.scontext) + log_program.error( "audit event\n%s", avc.audit_event.format()) + sys.exit(0)