Linux OS Service ‘setroubleshoot’

SELinux (Security Enhanced Linux) provides mandatory access control to the Linux operating system. SELinux is quite pervasive, even if only in PERMISSIVE mode. This can expose latent bugs in non-SELinux components that are not visible unless SELinux is running. Frustrated users have developed the perception that SELinux is difficult to use.

The setroubleshoot service is intended to make SELinux more friendly. It collects SELinux audit events from the kernel and runs a series of analysis plug-ins to examine an access violation detected by SELinux. It then records the results of the analysis and signals any clients which have requested notifications of these events. Once tool which makes use of this is the sealert tool, which presents desktop notifications similar to email biff alerts.

SELinux must be enabled to run this service. This is a service to run the daemon /usr/sbin/selinuxenabled tool. Use the belo command to install setroubleshoot.

# yum install setroubleshoot

Service Control

How to start or stop this service:

# service setroubleshoot start|stop

Output of “chkconfig –list setroubleshoot”:

# chkconfig --list setroubleshoot
setroubleshoot  0:off 1:off 2:off 3:on 4:on 5:on 6:off

Examples of all usage options:

# /etc/init.d/setroubleshoot
{start|stop|status|restart|condrestart|reload|cleardb}

The cleardb option is unique to this service. This deletes the current notification database file at /var/lib/setroubleshoot/database.xml and effectively clears the event log.

Configuration

The setroubleshoot service is controlled by the /etc/setroubleshoot/setroubleshoot.cfg configuration file. Most installations can leave this defaulted, but may wish to review it for additional features such as its ability to send email messages for each access denial. The name of the configuaration file is /etc/setroubleshoot/setroubleshoot.conf in CentOS/RHEL 7.

Related Post