Re: user guide drafts: "Linux Permissions" and "Manual Pages for Services"

From: Murray McAllister <mmcallis_at_nospam>
Date: Thu Nov 13 2008 - 05:11:10 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>

Stephen Smalley wrote: > On Wed, 2008-11-12 at 11:49 +1000, Murray McAllister wrote:
>> Hi,
>>
>> The following are drafts for the "Fixing Problems"[1] section. Any
>> comments and corrections are appreciated.
>>
>> Linux Permissions
>>
>> When access is denied, check standard Linux permissions. As mentioned in
>> Chapter 2, Introduction, most operating systems use a Discretionary
>> Access Control (DAC) system to control access, allowing users to control
>> the permissions of files that they own. SELinux policy rules are checked
>> after DAC rules. SELinux policy rules are not used if DAC rules deny
>> access first.
>>
>> If access is denied and no SELinux denials are logged,
> > Logically you would also mention the dontaudit case here, and how to > check for denials hidden by dontaudit rules. >
How about (keeping in mind I have not really heard of this before):

dontaudit Rules and Linux Permissions

Bugs in applications may cause a lot of SELinux denials, but such denials may not prevent the application from running correctly. For these situations, dontaudit rules can be added to policy to prevent log files being filled with denial messages. The downside of this is that, although SELinux denies access, denial messages are not logged, making troubleshooting hard.

To temporarily disable dontaudit rules, allowing all denials to be logged, run the following command as the Linux root user:

/usr/sbin/semodule -DB

The -D option disables dontaudit rules; the -B option rebuilds policy. The dontaudit rules are disabled until policy is rebuilt. To rebuild policy and enable dontaudit rules, run the following command as the Linux root user:

/usr/sbin/semodule -B
For a full list of dontaudit rules, run the sesearch --dontaudit command. Narrow down searches using the -s domain option and the grep command. For example:

[output from "sesearch --dontaudit -s smbd_t | grep squid "]

Refer to Section 7.3.5, “Raw Audit Messages” and Section 7.3.6, “sealert Messages” for information about analyzing denials.

After resolving any issues found by removing dontaudit rules, or if disabling these rules did not produce denials for your situation, check standard Linux permissions. [rest of Linux Permissions content].

Thanks. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Stephen Smalley: "Re: user guide drafts: "Linux Permissions" and "Manual Pages for Services""
Previous message: Joshua Brindle: "Re: [PATCH] semanage: Use semanage_mls_enabled"
In reply to: Stephen Smalley: "Re: user guide drafts: "Linux Permissions" and "Manual Pages for Services""
Next in thread: Stephen Smalley: "Re: user guide drafts: "Linux Permissions" and "Manual Pages for Services""
Reply: Stephen Smalley: "Re: user guide drafts: "Linux Permissions" and "Manual Pages for Services""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]