On 04/10/2012 11:00 AM, Dominick Grift wrote: > On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote: >>>>>>> "DG" == Dominick Grift <dominick.grift@xxxxxxxxx> writes: >> >> DG> You should really see AVC denials when you build the policy.db with >> DG> the dontaudit rules removed (semodule -DB) DG> Maybe you've >> overlooked them? >> >> I know the original question was about EL6 but I had some issues with >> CGI-type stuff outside of a specific cgi-bin directory recently on F16, >> and I was quite surprised that completely relevant AVCs were hidden >> behind dontaudit rules. In fact, I had no AVCs at all for that >> situation; stuff just failed to work without any indication of why. >> semodule -DB made it completely obvious, once you picked out the AVCs >> that caused the problem from whatever random other stuff was expected to >> happen. >> >> Is there any reasonable explanation for why these AVCs are not shown by >> default? > > There should be but i cant think of any. > > I have encountered similar issues with daemons trying to traverse $USER > being dontaudited; i dont like it either. > >> - J< > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux The problem here was that users executing service BLAH restart were generating lots of AVC's if they were sitting in their $HOME directory. Since the default for apps was to look at the current working directory, so we would get an AVC like named_t tried to getattr on user_home_dir_t. The best way to stop this flood was to say dontaudit initdaemons user_home_dir_t:dir search_dir_perms; Now that we have moved to systemd, this is not as big a problem and we can remove the dontaudit rule. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
