My Linux kernel version is 2.6.21. -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Friday, September 04, 2009 6:49 AM To: Hasan Rezaul-CHR010 Cc: selinux@xxxxxxxxxxxxx Subject: Re: SELinux and SSH Timers ?... On Thu, 2009-09-03 at 16:32 -0400, Stephen Smalley wrote: > On Thu, 2009-09-03 at 16:17 -0400, Hasan Rezaul-CHR010 wrote: > > Hi All, > > > > I have defined policy such that user_t cannot 'write' to certain > > files/directories, e.g. /etc/passwd. > > > > I have Selinux Strict policy running in "Permissive" Mode, and lets > > just say I am not at liberty to run it in "Enforcing" mode. > > > > I also have /selinux/avc/cache_threshold set to the default "512". > > > > And to test that my policy works, I SSH-login as a user "test" who > > has default context user_u:user_r:user_t And I attempt to "vi > > /etc/passwd". > > > > Given the above conditions: > > - I understand that SELinux will (and does) report a deny into > > audit.log the first time I attempt the "vi /etc/passwd". > > > > - The next time I do "vi /etc/passwd" within the same SSH-session, > > it does NOT log the deny! I understand this is because of the > > Permissive Mode + the cache_threshold value. > > > > - If I exit my SSH session, and then create a new SSH-session and > > login again with user "test", and then "vi /etc/passwd" again, I > > thought I should see a deny in the audit.log ? Since this is a new SSH-Session... > > But I DON'T see it ??? > > No. In permissive mode, when the denial is encountered, the AVC adds > that denied permission into the allowed vector in the corresponding > AVC cache entry so that subsequent denials do not get logged. It > remains there until something causes the entry to be evicted, whether > that is a due to a policy reload, changing a boolean, toggling > enforcing mode, or just needing to reclaim an entry over time. It > doesn't have anything to do with ssh sessions. > > You can force an AVC reset at any time by reloading policy, changing a > boolean, or toggling enforcing mode. Or you can set the threshold low > to cause nodes to get reclaimed quickly for reuse (that sets the upper > limit on the number of nodes to be used by the AVC). Or you could > just patch your kernel to _not_ add the denied permission to the AVC > in the first place. What kernel version are you using? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
