Hi Daniel, Thanks for the information. I'll add a dontaudit rule. Thanks, Jason On Tue, Sep 7, 2010 at 4:47 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/03/2010 05:31 PM, Jason Axelson wrote: >> Hi, >> >> I have a bash script that I've written that runs in its own domain, >> let's call it my_domain_t. When I run this script, I get a denial >> stating that the script was denied audit_write. But all the script is >> doing when it gets this denial is printing to the screen and asking >> for user input. >> >> From the SELinux wiki I know that audit_write allows the program to >> "send audit messsages from user space". But does that mean it is able >> to write to /var/log/audit/audit.log? Or more likely send a message to >> the audit daemon which then appends to the audit log? >> >> So given that I currently don't feel any need to audit the results of >> my script should I use an allow rule or something like dontaudit? >> >> allow my_domain_t self:capability audit_write >> or >> dontaudit my_domain_t self:capability audit_write >> >> I'm running this script on CLIP. >> >> Thanks, >> Jason >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >> the words "unsubscribe selinux" without quotes as the message. > Just add dontaudit rule. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkyGUIsACgkQrlYvE4MpobPZxgCfU6HQw4TXYmMrrCoCcvUVNREr > eMgAn3s4ks6EqSW3BDxwQ4J2A43mUmkm > =Wpod > -----END PGP SIGNATURE----- > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
