On Fri, 15 Feb 2013 14:30:11 -0500 Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 02/15/2013 01:44 PM, Luis Ressel wrote: > > Again, you're right. On this boot, dontaudit rules were actually > > enabled. Now, here's another log where they are disabled again. > > This line from your log file: > > audit_printk_skb: 643 callbacks suppressed > > indicates that you are hitting the printk ratelimit (to prevent > flooding of syslog) and therefore dropping messages. > > You could apply the attached patch or something like it to disable > the printk ratelimit on audit messages. Thanks! Now I finally got a denial message. kernel_t needs search permissions on unlabeled_t dirs, that's all. > However, you might want to first fix some of the obvious denials in > your policy. The rlimitinh, siginh, and noatsecure ones can > generally be ignored. But you are getting various other denials that > likely should be allowed. Adding the unconfined module to your > policy would automatically eliminate any denials for the kernel or > init domains. Yes, I did all this testing in a VM, not on the system where I originally encountered these issues, and I didn't fine-tune the VM policy. And my policy doesn't include the unconfined module because it was optional in my distro, defaulted to off and I thought it was only neccessary for targeted mode. But I'll try it out now. I want to thank you again for your fast and helpful responses. Without your help, I probably wouldn't have been able to resolve this issue, at least not within resonable time. You really saved me from having severe headaches! Luis
Attachment:
signature.asc
Description: PGP signature
