9

I have Centos 7 fresh install and I see setroubleshootd with high CPU usage. How can I fix this? What is this process doing?

stiv
  • 1,451
  • 5
  • 22
  • 32
  • Are there SELinux issues logged in `/var/log/audit/audit.log` (AVC denials)? – sebasth Apr 05 '19 at 15:47
  • well, yes, there is something connected with mongodb there... – stiv Apr 05 '19 at 15:51
  • I had the same issue and in the end it was caused by an error in configuration, specifically MongoDB. I believe SE is notifying you of an actual issue. – Calabacin Jul 07 '22 at 16:36

4 Answers4

6

First of all, you should not disable SELinux. So what could cause the high CPU usage of setroubleshootd.

Try to find out in which mode SELinux is running on the machine by typing sestatus. It should show several lines. The interesting parts are SELinux status: and Current Mode which are usually enabled and enforcing. If the current mode is permissive, then SELinux does not block anything but only logs it (good for troubleshooting).

Assuming SELinux is enabled and in in enforcing mode, now take a look at the log /var/log/audit/audit.log. I would recommend to use tail -f /var/log/audit/audit.log to see live changes of the file.

Because you have high CPU load of setroubleshootd I assume you have permanent changes/entries in the file, meaning something permanently violates the SELinux policy and the output could give you a first clue why.

For more in depth troubleshooting you could install setroubleshoot-server with yum install setroubleshoot-server. This package is a set of tools that can help you to find the real cause of the SELinux violation. Most of the time it happens when you added files to the system without setting the correct SELinux permissions or a process tries to access a non typical file or folder.

I would recommend you read this document about SELinux first and this document to get an overview and then look at documents like this for your distribution.

There is a bit of a learning curve with SELinux and too much for a simple answer, but I would never ever disable it on a public facing server.

PCFreak
  • 83
  • 1
  • 2
    that `setroubleshoot-server` actually is `setroubleshootd` ... – Martin Zeitler Apr 12 '19 at 00:54
  • This doesn't really answer the question. There should be a way to limit the impact this process can have on performance. If there is some sort of an attack and settroubleshootd takes up too much CPU, it could cause an outage that would not otherwise happen. – Kramer Mar 17 '21 at 14:32
2

a) Install setroubleshoot.x86_64 for a GUI; this might be easier than using tail.

# yum install setroubleshoot.x86_64 setroubleshoot-plugins.noarch

Adding SE Linux policies for mongodb (and possible others) might reduce the load.

Please note that the suggestions it makes can sometimes be useless/misleading.

b) Reinstalling setroubleshootd might be an option:

yum reinstall setroubleshoot-server
Martin Zeitler
  • 580
  • 4
  • 13
0

Granted this is an old question, but neither of the solutions made a difference. I found this answer: completely uninstalling flatpak actually eliminated the excessive CPU usage.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
tofirius
  • 1
  • 1
  • 1
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/429704) – Stephen Kitt Nov 23 '22 at 10:59
  • As you'll note in my original answer that "completely uninstalling flatpak, actually eliminated the excessive CPU usage" which was the essential part of the linked answer. – tofirius Nov 24 '22 at 15:33
  • Sorry, I misread “I found this answer … which eliminated the excessive CPU usage” as suggesting that there was something else in the answer which eliminated the CPU usage, not just removing Flatpak. – Stephen Kitt Nov 24 '22 at 17:17
-3

That daemon setroubleshootd is part of SELinux (Security Enhanced Linux). SELinux was implented to provide a context type to files to add more security and comply with NSA requirements. SELinux can cause issues if not properly configured and employed. Setroubleshootd monitors and reports SELinux issues, and provides resolution recommendations.

Determine if you actually need SELinux to run. If not, disable it.

Click here for more info on Disabling SELinux.

ZarNix
  • 96
  • 7
  • SE is notifying of a problem that will not be solved by disabling it, it could actually be worsened. SELinux should never be disabled, specially in production environments or any server open to access. – Calabacin Jan 28 '22 at 12:55