|Main Archive Page > Month Archives > selinux archives|
Joshua Brindle wrote: > Eric Paris wrote:
>> On Wed, 2007-09-19 at 17:35 +0100, Martin Orr wrote:
>>> On 18/09/07 22:54, Chad Sellers wrote:
>>>> One other note - how does a special debug domain that allows everything
>>>> except things that are dontaudit'd solve the use case that's been
>>>> around. If I'm the IT guy, and I'm using this permissive domain to
>>>> try out a
>>>> policy for 3 months in a permissive environment, I certainly don't want
>>>> certain items to be denied. Even worse, the current idea would have
>>>> denied and not even audit'd. So, instead of causing a problem 3
>>>> months from
>>>> now when I switch to enforcing, it causes problems the day I install
>>>> Millions are still lost, people still say SELinux sucks, and I (the
>>>> writer) still get fired (with 3 months less pay as well).
>>> To pick out one particular point here, tracking down problems caused by
>>> denials which have dontaudit rules is difficult, because by
>>> definition they
>>> are not logged. (I have what I guess is such a problem now: iff
>>> is on, the mails cron sends me are empty.) Would it not be useful to
>>> have a
>>> way of disabling dontaudit rules, perhaps on a global or perhaps on a
>>> per-domain basis? Just as dontaudit rules are orthogonal to allow
>>> this setting would be orthogonal to permissive/enforcing.
>>> Please forgive me if this is already possible and I have missed it.
>> nope, you didn't miss it, but it should be coming from the userspace
>> people sometime.....
> > Its been in svn since 2007-08-16, versions: > libsemanage 2.0.4 > policycoreutils 2.0.23 > libsepol 2.0.6 > >
Hrm.. I suppose my response could have been a little more helpful. http://marc.info/?l=selinux&m=118670946125889&w=2
If you have the versions mentioned above you can disable all dontaudits by running semodule -DB.
Once you are done you can run semodule -B and get dontaudits back. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.