On 07/01/2009 01:04 PM, Stephen Smalley wrote:
On Wed, 2009-07-01 at 11:57 -0400, Daniel J Walsh wrote:
On 07/01/2009 09:32 AM, Christopher Pardy wrote:
Creates a empty file disable_dontaudit in the polciy directory
(/etc/selinux/<policytype>). Checks for the existance of this file to
set the sepol disable don't audit upon handle creation. Also provides
the function "int semanage_get_disable_dontaudit()" which returns the
don't audit property of the current policy.
Signed-off-by: Christopher Pardy<cpardy@xxxxxxxxxx>
Better version of patch.
How does one then re-enable dontaudit rules using semodule or semanage?
We've trained our users to do the following sequence:
semodule -DB
<trigger AVC denials>
semodule -B
With the patch, the latter step will not re-enable dontaudit rules
unless you also change semodule, right?
Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.
diff -up policycoreutils-2.0.64/semodule/semodule.c~ policycoreutils-2.0.64/semodule/semodule.c
--- policycoreutils-2.0.64/semodule/semodule.c~ 2009-06-23 15:36:25.000000000 -0400
+++ policycoreutils-2.0.64/semodule/semodule.c 2009-07-01 13:34:42.027229000 -0400
@@ -417,8 +418,10 @@ int main(int argc, char *argv[])
printf("Committing changes:\n");
if (no_reload)
semanage_set_reload(sh, 0);
- if (build)
+ if (build) {
+ semanage_set_disable_dontaudit(sh, 0);
semanage_set_rebuild(sh, 1);
+ }
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
result = semanage_commit(sh);
