On Tue, 2010-01-19 at 09:57 -0500, Steve Grubb wrote: > On Tuesday 19 January 2010 04:33:31 am Göran Uddeborg wrote: > > Daniel J Walsh: > > > If you use ausearch -m avc to look for this avc, is there some info > > > setroubleshoot might have dropped? > > > > It didn't miss anything. It just gave exactly the same info as in the > > end of the SETroubleshoot message. > > > > (But looking at that and the surrounding events, I realised these > > AVC:s happen when the machine goes down, not when it comes back up as > > I first thought. That could be one more clue. I'll keep searching.) > > There are 2 general issues. Finding and fixing the current problem and having > troubleshooting info for the next incident. To find the current issue, I think > all you have to do is add any audit rule which will turn on full auditing. > This should get the path record if one exists. You could add a rule like this > to /etc/audit/audit.rules: > > -a always,exit -S personality > > and that should be one that never triggers. > > But going a step further for the next incident, I think that on capability > denied decisions for: chown, dac_override, dac_read_search, fowner, fsetid, > and linux_immutable, the object of the operation should be recorded and that > would be a file or directory. Device and inode should suffice. The issue with any cap_* check is that there is no "object of the operation." Capabilities are really just checks for the process. I think the only way to get it is going to be to make sure you have an audit rule and you'd get a name record. I tend to use -a exit,always -F arch=b32 -S kill -F pid=1 Which is sure to never trigger.... -Eric -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
