SELinux revisited

Steve G linux_4ever at yahoo.com
Sun Oct 21 13:12:26 UTC 2007 

Hi,

>>> But the next reboot then had auditd advise me there was an error in
 line
>>> 16 of /etc/audit/auditd.rules.

Which audit package are you using? FWIW, audit and selinux are different subsystems. If you have audit problems, it would be more helpful to change the subject line so that it catches my attention. I do not read every SE Linux email.  :)

>-a exit,always -S chroot
>#-a exit,always -S chdir -F obj_type=dhclient_t

>-----------
>Now it seems to me that those rules were there for a reason, and to
 have to 
>comment all but the first one out to get rid of the error:

These are not default audit rules. you or someone with access to your machine would have put these there. Did they work when you originally installed them and they quit working recently?

>Starting auditd:                                           [  OK  ]
>Error sending add rule data request (Unknown error 524)
>There was an error in line 27 of /etc/audit/audit.rules

To know what is happening, I'd need to know your audit package version and kernel version. And then I'd need to see the actual rule and an strace of loading just that one rule from the command line.

>isn't the real problem, so what do the experts here think?

The audit system compliments SE Linux in that it records the results of Access Vector Calculations (AVCs) whenever the rules say to. But SE Linux will work without the audit system.

>SELinux is running in permissive mode, and seems to be logging
 res=success for 
>everything so far,

SE Linux does not record "res=" fields. That is the audit system doing its normal stuff. To see if you have denials, I'd run the summary report: "aureport --start today" to see if you have anything in the avc row. If so, you can ;look deeper with "aureport --start today --avc -i" You would look for denied in the second to last column of each row. An example:

1. 10/15/2007 20:14:07 vpnc-script user_u:system_r:vpnc_t:s0 stat file getattr system_u:object_r:var_run_t:s0 denied 180


>Would it have logged res=denied for anything if set to permissive?

You need to look for "denied" in avc records.


-Steve


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the fedora-selinux-list mailing list