Man Linux: Main Page and Category List


       sealert - setroubleshoot client tool


       sealert [-b] [-h] [-s] [-S] [-l id] [-a file] [-v] [-V] [-u] [-p]


       This manual page describes the sealert program.

       sealert is the user interface component (either GUI or command line) to
       the setroubleshoot system. setroubleshoot is used to  diagnose  SELinux
       denials  and  attempts  to  provide  user  friendly  explanations for a
       SELinux denial (e.g. AVC) and recommendations for how one might  adjust
       the system to prevent the denial in the future.

       In   a   standard  configuration  setroubleshoot  is  composed  of  two
       components, setroubleshootd and sealert.

       setroubleshootd is a system daemon which runs with root privileges  and
       listens  for  audit  events emitted from the kernel related to SELinux.
       When the setroubleshootd daemon sees an SELinux AVC denial  it  runs  a
       series of analysis plugins which examines the audit data related to the
       AVC. It records the results of the analysis  and  signals  any  clients
       which  have attached to the setroubleshootd daemon that a new alert has
       been seen.

       sealert can be run in either a GUI mode or a command line mode. In both
       instances  sealert run as a user process with the privileges associated
       with the user. In GUI mode it  attaches  to  a  setroubleshootd  server
       instance  and  listens  for notifications of new alerts. By default the
       setroubleshootd server instance  is  the  one  on  the  local  machine,
       however  one  can connect via TCP to another server instance on another
       machine. When a new alert arrives it alerts  the  desktop  user  via  a
       notification  in  the  status icon area. The user may then click on the
       alert notification which will open an alert browser. In addition to the
       current  alert  sealert communicates with the setroubleshootd daemon to
       access all prior alerts stored in the setroubleshoot database.

       The user may elect to tag any given alert  as  being  "silent"  in  the
       browser  which  prevents  any  future notification for the given alert.
       This is useful when a user is already aware of a  reoccurring  problem.
       Alerts  may  be  deleted in the browser by selecting one or more alerts
       and using the menu item to mark them for deletion.  The  marked  alerts
       are  not  actually deleted until the user selects the command to delete
       all alerts marked for deletion. This is analogous to many popular  IMAP
       email  clients. The user may elect to hide in the browser alerts marked
       for deletion and/or alerts which have been marked as silent, this helps
       keep the browser less cluttered.

       In  addition  to alerts provided by the setroubleshoot daemon the "Scan
       Logfile" menu item provides the user with the ability  to  scan  a  log
       file  which  may  contain  audit messages, run the same analysis on the
       audit messages as the setroubleshootd daemon would done and then browse
       the alerts generated by the log file scan. The user may switch back and
       forth between "audit" alerts  from  the  daemon  and  "logfile"  alerts
       generated by the scan.

       sealert  may  also  be  run  in  command line mode. The two most useful
       command line options are -l to "lookup" an alert ID and -a to "analyze"
       a  log file. When setroubleshootd generates a new alert it assigns it a
       local ID and writes this as a syslog message. The -l lookup option  may
       then  be  used  to  retrieve  the  alert from the setroubleshootd alert
       database  and  write  it  to  stdout.  This   is   most   useful   when
       setroubleshootd  is  being  run  on  a  headless system without the GUI
       desktop alert facility. The -a analyze  option  is  equivalent  to  the
       "Scan  Logfile"  command  in  the  browser. The log file is scanned for
       audit messages, analysis  is  performed,  alerts  generated,  and  then
       written to stdout. In both cases the -H option can be used to cause the
       alert to be written out in HTML format rather than  the  default  plain


       You may ask sealert to parse a file accumulating all the audit messages
       it finds in that  file.  As  each  audit  event  is  recognized  it  is
       presented  for  analysis  which  may  generate  an  alert report if the
       analysis was successful. If the same type of  event  is  seen  multiple
       times  resulting  in  the  same report the results are coalesced into a
       single report. The report count field will indicate the number of times
       the  tool thought it saw the same issue. The report will also include a
       list of every line number on which  it  found  an  audit  record  which
       contributed  to the coalesced report. This will allow you to coordinate
       the contents of the file with the analysis results if need be.

       Log file scanning may be initiated from the  sealert  browser  via  the
       File::ScanLogFile  menu  or  from  the  command  line  via  ’sealert -a
       filename’. Please note that sealert runs as a user level  process  with
       the  permissions  of  the  user  running  it. Many system log files are
       readable by root only. To work around this if you have root access  one
       can  copy  the  file  as  root  to  a  temporary  file  and change it’s
       permissions. This is a good solution when scanning via  the  GUI  as  a
       normal  user. Or you might consider su’ing to root and run the analysis
       via the command line (e.g. sealert -a filename).

       The audit records in the log file must be valid  syntactically  correct
       audit messages or the parser will ignore them.

       If  you  use the GUI browser to scan a log file you should be aware the
       browser can track and  display  alert  reports  from  two  simultaneous
       sources,  either  the  alerts  from the setroubleshootd server which is
       connected to the audit system or the alert  reports  from  a  log  file
       scan.  The  View  menu  has  entries  which allow you to toggle between
       viewing the audit system reports and the scanned file reports.


       -b --browser
              Launch the browser

       -h --help
              Show this message

       -H --html_output
              Ouput in html, Used with the -a or -l option

       -s --service
              Start sealert service,  Usually used by dbus.

       -S --noservice
              Start sealert without dbus service as stand alone app

       -l --lookupid id
              Lookup alert by id, if id is wildcard * then return all alerts

       -a --analyze file
              Scan a log file, analyze it’s AVC’s

       -v --verbose
              Start in verbose mode -V --debug Start in debug mode (i.e.  very

       -u --user
              logon as user

       -p --password
              set user password


       Connect To...
              Connect  to  a different setroubleshoot server, browse the alert
              from that server’s database.

       Scan Logfile...
              Scan a log file, then browse alert results from that log file.

       Save As...
              Save selected alerts in file.

              Print the selected alerts.

       Edit Email Alert List...
              Edit the list of email addresses which receive alerts via email.
              Also  allows modifying the conditions under which an email alert
              is generated.

       Close  Close the window.

       Select All
              Select all alerts in the browser.

       Select None
              Remove all the alert selections in the browser.

       Copy   Copy selected text in the detail pane to the clipboard.

       Copy Alert
              Copy selected alerts in their entirety to clipboard with  proper
              text formatting.

       Mark Delete
              Each selected alert will be marked for later deletion.

              Clear deletion flag from the selected alerts.

       Remove Marked Deleted
              Permanently delete all alerts marked for deletion.

       Hide deleted
              Toggle whether deleted alerts appear in the browser list.

       Hide quiet
              Toggle whether alerts which are flagged as being quiet appear in
              the browser list.

       Show Toolbar
              Toggle the toolbar on/off.

       View Audit Alerts
              View alerts from audit system (more specifically  from  whatever
              setroubleshoot  server  the  browser is connected to). Note, the
              browser can display either  alerts  from  the  audit  system  or
              alerts from a log file scan.

       View Logfile Scan
              View  alerts  from the last log file scan. Note, the browser can
              display either alerts from the audit system or alerts from a log
              file scan.


       This  man  page was written by John Dennis <> and Dan
       Walsh <>.



                                   20061121                         sealert(8)