Bug 119572
| Summary: | SELinux FAQ - permission denial is silent | ||
|---|---|---|---|
| Product: | [Retired] Fedora Documentation | Reporter: | Stephen Smalley <sdsmall> |
| Component: | selinux-faq | Assignee: | Karsten Wade <kwade> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tammy Fox <tammy.c.fox> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | devel | CC: | dwalsh, russell |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-04-02 19:34:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 118757 | ||
|
Description
Stephen Smalley
2004-03-31 14:17:40 UTC
Please review the following write up for the FAQ: (thanks for the entry submission) ## begin FAQ entry Q: I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in /var/log/messages. How can I identify the cause of the permission denials? A: There are two reasons you may be getting silent denials. The most common reason is the policy contains an explicit dontaudit rule to suppress audit messages. The dontaudit rule is often used like this when a frequent benign denial is filling the audit logs. To look for your particular denial, you will need to enable all auditing: cd /etc/security/selinux/src/policy make enableaudit make load [Caution] Caution Enabling auditing will likely produce a large amount of audit information, most of which is irrelevant to your denial. Use this technique only if you are specifically looking for an audit message for a denial that seems to occur silently. You will likely want to turn off auditing as soon as possible. To turn auditing off, do the following: cd /etc/security/selinux/src/policy make clean make load Another reason for getting silent denails is on an exec when a domain transition would normally occur, but the new domain is not authorized for the current role. At present, these errors are only logged when SELinux is running in permissive mode. This has been fixed in the upstream Linux kernel so that it will log an audit message. The current Fedora Core test kernel does not yet include this change. ## 30 Just a minor suggestion: rather than saying "To turn auditing off", say "To re-enable dontaudit rules" or "To suppress benign audit messages". You aren't truly disabling all auditing, just the audit that would normally be suppressed by dontaudit rules. Thanks; I understand the concept but was having some difficulty finding the exact wording to convey this without sounding as if I were using double-negatives, i.e., "to re-engage the dontengage rules". Substituting 're-enable' works to keep the meaning simple and clear. Here is a sample of the new wording; the rest I will post today with other new questions: ## sample Caution Enabling auditing of all dontaudit rules will likely produce a large amount of audit information, most of which is irrelevant to your denial. Use this technique only if you are specifically looking for an audit message for a denial that seems to occur silently. You will likely want to re-enable dontaudit rules as soon as possible. To re-enable dontaudit rules, do the following: ## 30 |