lack of AVC denied messages
Richard Hally
rhally at mindspring.com
Fri Jun 25 03:52:04 UTC 2004
Richard Hally wrote:
> After recent updates Mozilla web browser will not start while in
> enforcing mode. The troubling thing is that it does not produce any avc
> denied messages. Further, after switching to permissive mode, starting
> Mozilla web browser, exiting, generating allow rules from the avc denied
> messages, incorporating them into the policy, doing a 'make reload' and
> trying Mozilla again in enforcing mode it still will not start and
> does not produce and avc denied messages.
> Considering that the recommended method for generating policy is to
> "debug it into existence" i.e. run things and look at the avc denied
> messages, this lack of avc denied message indicates there is something
> fundamentally wrong here and indicates a mode of failure we may not have
> considered before.
> Or is it just a bug?
>
> Thanks for any help,
> Richard Hally
>
> kernel 2.6.7.-1.448
> selinux-policy-strict-sources-1.13.8-1
> sysklogd-1.4.1-20
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Sorry for the reply to my own message.
After remembering (and using) the 'enableaudit' option for making
policy, the needed avc denied messages to generate the allow rules were
produced.
But this raises the larger question of how are we going to handle the
dontaudit rules in the future? And how do we distinguish between those
that are for "harmless" denials and those that are not?
Richard Hally
More information about the fedora-selinux-list
mailing list