On Wed, 2007-10-17 at 18:22 -0400, Hasan Rezaul-CHR010 wrote: > Yes, I am running in "Permissive" mode right now, just for testing > purposes. > > If this is by design, is there any way I can force SELinux to log every > denial even in Permissive mode ? It is by design, as otherwise you could end up with an unending stream of duplicate denials since the application will keep on processing (since the denials are not enforced), and thus flood the audit system and logs with redundant information. However, the denial will re-appear if the AVC entry is evicted. You can manually flush the AVC by: - toggling enforcing mode (e.g. setenforce 1; setenforce 0), - setting a boolean (e.g. setsebool <somebool>=<somevalue>), - reloading policy (e.g. /usr/sbin/load_policy) Or you should be able to effectively turn off caching by setting the cache threshold down (performance will naturally suffer as a result): echo 0 > /selinux/avc/cache_threshold cat /selinux/avc/cache_threshold > Thanks, > > - Rezaul. > > > -----Original Message----- > From: Eric Paris [mailto:eparis@xxxxxxxxxxxxxx] > Sent: Wednesday, October 17, 2007 5:19 PM > To: Hasan Rezaul-CHR010 > Cc: Stephen Smalley; Daniel J Walsh; selinux@xxxxxxxxxxxxx > Subject: Re: Recurring SELinux events for similar violations... > > Are you running without enforcing just for testing? When you turn off > enforcing it only logs once (by design) but I think it should log the > denial every single time in enforcing mode. > > -Eric > > On 10/17/07, Hasan Rezaul-CHR010 <CHR010@xxxxxxxxxxxx> wrote: > > Hi All, > > > > I am using a Fedora 6 STRICT policy as my base, and have written some > > additional custom policies on top. > > > > For example, I have allowed certain domains (e.g. staff_t) to modify > > file types of etc_t > > And I have disallowed other domains (e.g. user_t) to modify file types > > of etc_t. > > > > When user_t makes the first attempt to modify an etc_t file, I do get > > DENY events :-) > > > > But subsequent attempts by user_t to modify etc_t files *DO NOT* > > generate any more events ?!? > > > > - Is this by design ??? > > > > - Is there something I can do such that EVERY time user_t attempts > to > > modify a file type etc_t , I will get a corresponding DENY ? > > > > - In other words, I would like every violation attempt to be reported > in > > the audit.log file, even if the same violation occurs multiple times > in > > the same session. > > > > Thanks in advance, > > > > - Rezaul. > > > > > > -- > > This message was distributed to subscribers of the selinux mailing > list. > > If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with > > the words "unsubscribe selinux" without quotes as the message. > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
