Whilst trying to debug a Web
application recently, I had cause to temporarily run the httpd_t
domain in permissive mode in order
to work out what extra ACLs/Labels might be required. In the audit log I noticed that there appeared to be very few AVC messages compared to the number of files and directories created and modified by the httpd_t domain within a user_home_t subtree. Having built a little test-bed for the issue, I found that with the system in fully-enforcing mode, I got an AVC for every type of every file access denied, as expected. However, in permissive mode, what seems to happen is that the audit contains only the first AVC corresponding to any given "policy quadruple" of Source Domain, Target Domain, Target Class and Permission. If I re-ran the test script, the audit log for the same events was quiet, even if I used different filenames. If I run a different test trying "httpd_t, user_home_t, file, read" instead of "httpd_t, user_home_t, file, write" after having previously seen a single log entry for "httpd_t, user_home_t, file, read", then I DO see the "write" being logged, but again, it's only the first instance that gets logged. If I turn the permissive mode off and on again, and re-run the tests, I get another single AVC in the audit log for each "policy quadruple". My reading of the results I see so far is that the action of permitting but logging an action within the SELinux engine causes the corresponding "policy quadruple" to be somehow cached in the kernel state after the first log entry is created, but that subsequent actions are not logged if a cache entry already exists. This presumably relates to SELinux's Access Vector Cache, given what I read elsewhere. One thought was that the quietness in the log was related to SELinux trying to avoid overloading auditd with messages, and that perhaps the cached state might timeout, but this didn't seem to occur. The kernel/SELinux/audit packages on this CentOS6.7 machine, assuming that these are relevant, under this test were: kernel-2.6.32-573.3.1.el6.x86_64 selinux-policy-targeted-3.7.19-279.el6_7.4.noarch audit-2.3.7-5.el6.x86_64 Is this a known "feature" of the way permissive mode is meant to work, and/or is there some other way to flush what I presume to be the cached AVC status?
|
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux