On 04/04/2015 03:05 AM, Joseph L. Casale wrote:
> With the policy updates that came with centos 7.1 update, I am trying to
> update a few local policies we have but with `setenforce 0` I do not get
> an avc at all when running my app, however enabling it and rerunning it
> generates one, but without seeing them all that approach would be like
> wack-a-mole.
>
> The avc I am getting after setenforce 1 is run is:
>
> type=AVC msg=audit(1428109185.330:570): avc: denied { execute_no_trans } for pid=3953 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25468477 scontext=system_u:system_r:bacula_t:s0 tcontext=sytype=SYSCAL
>
> Why does this not trigger a denial in permissive mode?
>
> Thanks,
> jlc
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
