Run semodule -DB to build a policy database without the dontaudit rules. Run semodule -B to build a policy database (with the dontaudit rules included) On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote: > I'm trying to debug a Nagios plugin that isn't playing nicely with > SELinux. It executes a system binary to get statistics about DHCP pool > usage, and obviously SELinux stamps on that access and the plugin only > returns partial data. > > In Permissive mode the plugin works, it Enforcing it doesn't. But in > neither mode are there any debug messages in audit.log > > [jg4461@dhcp1 ~]$ sudo setenforce 0 > [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c > check_dhcpd_pools > OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, > rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, > rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, > rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, > rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, > rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, > rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90 > > [jg4461@dhcp1 ~]$ sudo setenforce 1 > [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c > check_dhcpd_pools > OK - all pools less than 80% full | > > Regardless of the SELinux mode, the same 3 log lines are printed in > audit.log: > > type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0 > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/" > cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success' > type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0 > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 > msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? > terminal=? res=success' > type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0 > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 > msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? > addr=? terminal=? res=success' > > > Anyone have any idea how I can see the deny messages and make a policy > from them? > > Cheers, > Jonathan > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
