On Thu, 2009-09-03 at 16:17 -0400, Hasan Rezaul-CHR010 wrote: > Hi All, > > I have defined policy such that user_t cannot 'write' to certain > files/directories, e.g. /etc/passwd. > > I have Selinux Strict policy running in "Permissive" Mode, and lets just > say I am not at liberty to run it in "Enforcing" mode. > > I also have /selinux/avc/cache_threshold set to the default "512". > > And to test that my policy works, I SSH-login as a user "test" who has > default context user_u:user_r:user_t > And I attempt to "vi /etc/passwd". > > Given the above conditions: > - I understand that SELinux will (and does) report a deny into audit.log > the first time I attempt the "vi /etc/passwd". > > - The next time I do "vi /etc/passwd" within the same SSH-session, it > does NOT log the deny! I understand this is because of the Permissive > Mode + the cache_threshold value. > > - If I exit my SSH session, and then create a new SSH-session and login > again with user "test", and then "vi /etc/passwd" again, I thought I > should see a deny in the audit.log ? Since this is a new SSH-Session... > But I DON'T see it ??? No. In permissive mode, when the denial is encountered, the AVC adds that denied permission into the allowed vector in the corresponding AVC cache entry so that subsequent denials do not get logged. It remains there until something causes the entry to be evicted, whether that is a due to a policy reload, changing a boolean, toggling enforcing mode, or just needing to reclaim an entry over time. It doesn't have anything to do with ssh sessions. You can force an AVC reset at any time by reloading policy, changing a boolean, or toggling enforcing mode. Or you can set the threshold low to cause nodes to get reclaimed quickly for reuse (that sets the upper limit on the number of nodes to be used by the AVC). Or you could just patch your kernel to _not_ add the denied permission to the AVC in the first place. Last time we talked about this, Eric Paris also pointed out how to get audit information via auditallow rules or using auditctl. > > - If I however SSH-login as "test" after a 'long' time, may be a few > hours, and then "vi /etc/passwd", then I do see the deny again... > > So my question is: Is there a default timer somewhere (may be for SSH), > during which duplicate audit denies don't get logged ? And perhaps after > the timer expires, previous denies are eligible for reporting again ? > > What would be the impact of changing the "cache_threshold" to "5" for > example as opposed to the default '512' ? > > Hopefully that wasn't too confusing. Thanks in advance for your help > :-) -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
