On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote: > >>>>> "DG" == Dominick Grift <dominick.grift@xxxxxxxxx> writes: > > DG> You should really see AVC denials when you build the policy.db with > DG> the dontaudit rules removed (semodule -DB) > DG> Maybe you've overlooked them? > > I know the original question was about EL6 but I had some issues with > CGI-type stuff outside of a specific cgi-bin directory recently on F16, > and I was quite surprised that completely relevant AVCs were hidden > behind dontaudit rules. In fact, I had no AVCs at all for that > situation; stuff just failed to work without any indication of why. > semodule -DB made it completely obvious, once you picked out the AVCs > that caused the problem from whatever random other stuff was expected to > happen. > > Is there any reasonable explanation for why these AVCs are not shown by > default? There should be but i cant think of any. I have encountered similar issues with daemons trying to traverse $USER being dontaudited; i dont like it either. > - J< -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
