|Main Archive Page > Month Archives > selinux archives|
Stephen Smalley wrote: > On Wed, 2008-11-12 at 11:49 +1000, Murray McAllister wrote:
>> The following are drafts for the "Fixing Problems" section. Any
>> comments and corrections are appreciated.
>> Linux Permissions
>> When access is denied, check standard Linux permissions. As mentioned in
>> Chapter 2, Introduction, most operating systems use a Discretionary
>> Access Control (DAC) system to control access, allowing users to control
>> the permissions of files that they own. SELinux policy rules are checked
>> after DAC rules. SELinux policy rules are not used if DAC rules deny
>> access first.
>> If access is denied and no SELinux denials are logged,
> > Logically you would also mention the dontaudit case here, and how to > check for denials hidden by dontaudit rules. >
How about (keeping in mind I have not really heard of this before):
dontaudit Rules and Linux Permissions
Bugs in applications may cause a lot of SELinux denials, but such denials may not prevent the application from running correctly. For these situations, dontaudit rules can be added to policy to prevent log files being filled with denial messages. The downside of this is that, although SELinux denies access, denial messages are not logged, making troubleshooting hard.
To temporarily disable dontaudit rules, allowing all denials to be logged, run the following command as the Linux root user:
The -D option disables dontaudit rules; the -B option rebuilds policy. The dontaudit rules are disabled until policy is rebuilt. To rebuild policy and enable dontaudit rules, run the following command as the Linux root user:
For a full list of dontaudit rules, run the sesearch --dontaudit command. Narrow down searches using the -s domain option and the grep command. For example:
[output from "sesearch --dontaudit -s smbd_t | grep squid "]
Refer to Section 7.3.5, “Raw Audit Messages” and Section 7.3.6, “sealert Messages” for information about analyzing denials.
After resolving any issues found by removing dontaudit rules, or if disabling these rules did not produce denials for your situation, check standard Linux permissions. [rest of Linux Permissions content].
Thanks. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to firstname.lastname@example.org with the words "unsubscribe selinux" without quotes as the message.