|
Hi all, I’ve been working on writing my first policy for SELinux and I’ve hit a bit of a snag. I’ve gotten the policy clean in permissive mode, but when I swap the system over to enforcing, a whole new set of policy issues crop up. Everything I’ve
read says this isn’t to be expected so I’m a bit confused as to what’s happening. Output from sestatus when in permissive mode is: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 29 I’m running a version 26 policy and a 3.16.7 kernel. It seems like the majority of the new deny audits are about the need for search permissions on directories between types that already have what I believe are the necessary file permissions.
So far what I’ve had to do to get around it is to add to my policy, but that doesn’t seem like that should be necessary. If the audit is clean in permissive mode, why isn’t it clean in enforcing?
Is it possible that I’m missing policy deny audits when it’s in permissive mode?
Thanks, -Aaron |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
