Description of problem: If I execute sandbox setenforce 0 I would expect a big denial in the audit.log # sandbox setenforce 0 /usr/sbin/setenforce: setenforce() failed sh-4.0# ausearch -m avc -ts recent <no matches> Sadly no AVC is reported. If I put the machine in permissive mode I do see the AVC. #============= sandbox_t ============== allow sandbox_t security_t:file write; allow sandbox_t security_t:security setenforce;
Do you have dontaudit on open of security_t:file? I don't see the open...
Ditto for security_t:dir search. You aren't ever reaching the setenforce check in enforcing mode.
I am an idiot, never mind. I will allow domains to getattr on /selinux and search the selinux_t so that we can get them attempting to write the security_t file.
BTW There is n o open of security_t.