diff options
| author | Bryn M. Reeves <bmr@redhat.com> | 2013-04-22 16:48:01 +0100 |
|---|---|---|
| committer | Bryn M. Reeves <bmr@redhat.com> | 2013-04-22 16:48:01 +0100 |
| commit | d24a27a5e6205a3b63875b683a9463a6a8c8f420 (patch) | |
| tree | e674f2cfb4a6a9928aeddb337b6457d381003edf | |
| parent | 44f0d96b5a06ab8f1811134572ce35e9f8790483 (diff) | |
| download | sos-d24a27a5e6205a3b63875b683a9463a6a8c8f420.tar.gz | |
Update SELinux plug-in for modern distributions
The old SELinux module has had no maintenance in some time. Add
the output of the following commands:
- sestatus -b [ SELinux status and booleans ]
- selinuxdefcon root
- selinuxconlist root
- selinuxexeccon /bin/passwd
Add '-v' to fixfiles command line to produce more verbose output.
Drop all setroubleshoot support - this is an optional package for
all supported distributions and should be handled in a separate
sos plug-in.
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
| -rw-r--r-- | sos/plugins/selinux.py | 29 |
1 files changed, 8 insertions, 21 deletions
diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py index c3501eec..d35010a7 100644 --- a/sos/plugins/selinux.py +++ b/sos/plugins/selinux.py @@ -17,30 +17,17 @@ from sos.plugins import Plugin, RedHatPlugin class selinux(Plugin, RedHatPlugin): """selinux related information """ + option_list = [("fixfiles", 'Print incorrect file context labels', 'slow', False)] + packages = ('libselinux',) + def setup(self): # sestatus is always collected in check_enabled() self.add_copy_spec("/etc/selinux") if self.get_option('fixfiles'): - self.add_cmd_output("fixfiles check") - self.add_forbidden_path("/etc/selinux/targeted") - - if not self.policy().pkg_by_name('setroubleshoot'): - return + self.add_cmd_output("fixfiles -v check") + self.add_cmd_output("sestatus -b") + self.add_cmd_output("selinuxdefcon root") + self.add_cmd_output("selinuxconlist root") + self.add_cmd_output("selinuxexeccon /bin/passwd") - # Check for SELinux denials and capture raw output from sealert - if self.policy().default_runlevel() in self.policy().runlevel_by_service("setroubleshoot"): - # TODO: fixup regex for more precise matching - sealert=do_regex_findall(r"^.*setroubleshoot:.*(sealert\s-l\s.*)","/var/log/messages") - if sealert: - for i in sealert: - self.add_cmd_output("%s" % i) - self.add_alert("There are numerous selinux errors present and "+ - "possible fixes stated in the sealert output.") - def check_enabled(self): - try: - if self.get_cmd_output_now("sestatus", root_symlink = "sestatus").split(":")[1].strip() == "disabled": - return False - except: - pass - return True |