On Thu, 2009-09-03 at 16:32 -0400, Stephen Smalley wrote: > On Thu, 2009-09-03 at 16:17 -0400, Hasan Rezaul-CHR010 wrote: > > Hi All, > > > > I have defined policy such that user_t cannot 'write' to certain > > files/directories, e.g. /etc/passwd. > > > > I have Selinux Strict policy running in "Permissive" Mode, and lets just > > say I am not at liberty to run it in "Enforcing" mode. > > > > I also have /selinux/avc/cache_threshold set to the default "512". > > > > And to test that my policy works, I SSH-login as a user "test" who has > > default context user_u:user_r:user_t > > And I attempt to "vi /etc/passwd". > > > > Given the above conditions: > > - I understand that SELinux will (and does) report a deny into audit.log > > the first time I attempt the "vi /etc/passwd". > > > > - The next time I do "vi /etc/passwd" within the same SSH-session, it > > does NOT log the deny! I understand this is because of the Permissive > > Mode + the cache_threshold value. > > > > - If I exit my SSH session, and then create a new SSH-session and login > > again with user "test", and then "vi /etc/passwd" again, I thought I > > should see a deny in the audit.log ? Since this is a new SSH-Session... > > But I DON'T see it ??? > > No. In permissive mode, when the denial is encountered, the AVC adds > that denied permission into the allowed vector in the corresponding AVC > cache entry so that subsequent denials do not get logged. It remains > there until something causes the entry to be evicted, whether that is a > due to a policy reload, changing a boolean, toggling enforcing mode, or > just needing to reclaim an entry over time. It doesn't have anything to > do with ssh sessions. > > You can force an AVC reset at any time by reloading policy, changing a > boolean, or toggling enforcing mode. Or you can set the threshold low > to cause nodes to get reclaimed quickly for reuse (that sets the upper > limit on the number of nodes to be used by the AVC). Or you could just > patch your kernel to _not_ add the denied permission to the AVC in the > first place. What kernel version are you using? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
