Re: No audit lines produced

[Miroslav Grepl <mgrepl@xxxxxxxxxx>]

On 05/15/2012 12:09 PM, Dominick Grift wrote:
> Run semodule -DB to build a policy database without the dontaudit rules.
> Run semodule -B to build a policy database (with the dontaudit rules
> included)
>
> On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
> > I'm trying to debug a Nagios plugin that isn't playing nicely with
> > SELinux. It executes a system binary to get statistics about DHCP pool
> > usage, and obviously SELinux stamps on that access and the plugin only
> > returns partial data.
> >
> > In Permissive mode the plugin works, it Enforcing it doesn't. But in
> > neither mode are there any debug messages in audit.log
> >
> > [jg4461@dhcp1 ~]$ sudo setenforce 0
> > [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> > check_dhcpd_pools
> > OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
> > rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
> > rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
> > rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
> > rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
> > rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
> > rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90
> >
> > [jg4461@dhcp1 ~]$ sudo setenforce 1
> > [jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
> > check_dhcpd_pools
> > OK - all pools less than 80% full |
> >
> > Regardless of the SELinux mode, the same 3 log lines are printed in
> > audit.log:
> >
> > type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
> > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
> > cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
> > type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
> > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> > msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
> > terminal=? res=success'
> > type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
> > auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
> > msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
> > addr=? terminal=? res=success'
> >
> >
> > Anyone have any idea how I can see the deny messages and make a policy
> > from them?
> >
> > Cheers,
> > Jonathan
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
So execute

# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B


Also we will need to add labeling for the check_dhcpd_pools plugin.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux