On Tue, 2013-04-16 at 13:17 +0530, Lakshmipathi.G wrote: > Thanks Dominikc for more detailed info. > Okay,will log the silent denials via semodule -DB option. > > > >not signal a bug and auditd (with the appropriate rules) can be used > to > >log any specific syscalls. > > > How to do this? Logging specific syscall? Do we have another addition > feature like logging specific path (say /etc/passwd) ? > Yes. Best to read up on linux-audit. > > > > >many people see the policy as something that is fixed. > >If they have to write policy they argue that it is broken. > > > I understand the point, but the problem is at-least for users > like me, we are not really sure whether adding a new policy > may comprise on existing setup. Yes i understand. To really understand all the issues one needs to be familiar with gnu/linux programming in my view. I am not in that league either. That does not mean we are totally useless though. Some things are self explanatory and in other cases one should always keep in mind to use "least privilege" required. Also, many of the elements of a AVC denial are documented such as the security classes and their av permissions one can reference them and then use that info to investigate whether some event makes sense or if it is maybe a bug or intrusion > >But that requires that one learns to speak and write SELinuxs' > language, > >and that might be an intimidating prospect to some. Not to mention > the > >ability to design a policy that meets ones requirements and to > maintain > >that. > > > Yes,that's the main thing , to make SELinux customize to their > requirement, > you need to a well experienced user,average users (like me) will rely > on tools like > audit2allow or audit2why etc,because these tools help him write a > policy without > really getting deep into the issue :D ! > But that defeats the purpose of SELinux. Better to invest some time into discovering the inner workings a bit first. I am not saying that you need to be an expert ( i am no expert either ) but it is better that one knows at least a bit about the basics. It takes a bit of effort but in my view it will eventually pay off. Once you get a bit familiar with SELinux then it is no longer as intimidating (although its power and flexibility will always be at least a bit intimidating in my experience). Nonetheless SELinux has become pretty mainstream and so the experience will come in handy in many cases. > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux