On 05/16/2009 08:50 AM, Shintaro Fujiwara wrote:
Thanks.
So, I understand there are no commands checking present state of
enabling or disabling dontaudit ?
Correct. Although you could use sesearch --dontaudit to see there are
no dontaudit rules in the policy.
And especially, disabling dontaudit survives next boot, for an
ordinary administrator like me don't know whether or not disabling
dontaudit.
Yes semodule -DB rebuilds the /etc/selinux/targeted/policy/policy.VERSION
file which will stay there until the next time you run semanage or
semodule (selinux-policy-targeted update for example)
If I forget disabling dontaudit and don't know much about SELinux
audit, if somebody tell me to do audit2allow and some buggy program
running to manage shadow_t, I will foolishly may install a policy to
manage shadow_t ?
Yes but you can always make this mistake.
I think in that case, should be checked the present state of dontaudit
disabled or not and giving advice to administrator to type command
#semodue -B.
I don't agree, the only time some one should disable dontaudit rules
would be when trying to diagnose and SELinux problem, and the leaving
SELinux dontaudit rules disabled will be pretty evident in the number of
AVC's that will be coming to the machine.
Well, I presently can manage at least making in certain confined area
a file labeled shadow_t or whatever the dontaudit will be applied and
check if the dontaudit is disabled or not.
I think only ugly way but as an ordinary administrator, I can manage
in that way.
Thanks for your advices.
2009/5/16 Daniel J Walsh<dwalsh@xxxxxxxxxx>:
On 05/15/2009 07:50 PM, Shintaro Fujiwara wrote:
Hi, I typed,
#semodule -DB
How should I know if I succeeded disabled dontaudits ?
Thanks.
If the command did not display any errors, it succeeded. Also you should
start to see a lot more avc messages. Start and stop a couple of services.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
