Bug 445101
Summary: | (staff_u) zillion AVC denials | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | rawhide | CC: | mcepl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-05-05 20:41:35 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Matěj Cepl
2008-05-03 18:50:18 UTC
Created attachment 304465 [details]
/var/log/audit/audit.log
Created attachment 304468 [details]
generated SELinux module
When removing all lines from audit.log before I switched to using staff_u, I
generated this selinux module with audit2allow
If you are testing staff_t please do not run in permissive mode. Any avc that you collected while in permissive mode is useless. Since staff_u is not allowed to run su, when in permissive mode you ran visudo which is also not allowed so lots of AVC messages are useless to me. You need to setup sudo before hand and user sudo to switch to unconfined_t when run as root. OK, if I cannot run in permissive mode, than I am afraid I cannot use staff_u at all (need for developing stuff permissive mode). Not sure why you need permissive mode for developing. I use staff_t which a transition to unconfined_t and I develop every day. I am probably much worse programmer than you (well, I am not a programmer at all, strictly speaking) so when hacking on bitlbee (which is confined) I am hitting SELinux all the time. |