[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    Re: SELinux revisited
From:       Steve G <linux_4ever () yahoo ! com>
Date:       2007-10-21 13:12:26
Message-ID: 575405.62452.qm () web51511 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]

Hi,

> > > But the next reboot then had auditd advise me there was an error in
 line
> > > 16 of /etc/audit/auditd.rules.

Which audit package are you using? FWIW, audit and selinux are different subsystems. \
If you have audit problems, it would be more helpful to change the subject line so \
that it catches my attention. I do not read every SE Linux email.  :)

> -a exit,always -S chroot
> #-a exit,always -S chdir -F obj_type=dhclient_t

> -----------
> Now it seems to me that those rules were there for a reason, and to
 have to 
> comment all but the first one out to get rid of the error:

These are not default audit rules. you or someone with access to your machine would \
have put these there. Did they work when you originally installed them and they quit \
working recently?

> Starting auditd:                                           [  OK  ]
> Error sending add rule data request (Unknown error 524)
> There was an error in line 27 of /etc/audit/audit.rules

To know what is happening, I'd need to know your audit package version and kernel \
version. And then I'd need to see the actual rule and an strace of loading just that \
one rule from the command line.

> isn't the real problem, so what do the experts here think?

The audit system compliments SE Linux in that it records the results of Access Vector \
Calculations (AVCs) whenever the rules say to. But SE Linux will work without the \
audit system.

> SELinux is running in permissive mode, and seems to be logging
 res=success for 
> everything so far,

SE Linux does not record "res=" fields. That is the audit system doing its normal \
stuff. To see if you have denials, I'd run the summary report: "aureport --start \
today" to see if you have anything in the avc row. If so, you can ;look deeper with \
"aureport --start today --avc -i" You would look for denied in the second to last \
column of each row. An example:

1. 10/15/2007 20:14:07 vpnc-script user_u:system_r:vpnc_t:s0 stat file getattr \
system_u:object_r:var_run_t:s0 denied 180


> Would it have logged res=denied for anything if set to permissive?

You need to look for "denied" in avc records.


-Steve


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic