On 06/11/2013 01:40 AM, m.roth@xxxxxxxxx wrote: > CentOS 6.4. > I'm getting those annoying avc granted's in connection with matlab, still > (again?). I see in audit.log it saying "allowed". Would dontaudit shut > that up? The one doc I've found seemed to suggest it would silently deny, > but said nothing about silently allow. > > mark > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Mark, The 'dontaudit' policy rules are for those *denials* that need not be logged. In the current case, what you are seeing is the effect of 'auditallow' policy rules, which specifies that when certain accesses are allowed, due to the existence of corresponding 'allow' rules, log that the access was granted. The 'auditallow' policy rules by themselves do not grant the access, they only log when the access is granted. You can see the existing 'auditallow' rules in the policy by running: sesearch --auditallow These special rules are put in place so that certain *major* access allows are logged, especially accesses that would have serious security implications. It is recommended not to remove the existing 'auditallow' policy rules. However, if you need to remove them, I believe that you would have to remove them from the base policy source, and recompile the base policy. -- Regards, Rejy M Cyriac (rmc) -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
