On 04/24/2015 06:12 AM, Spector, Aaron wrote: > That sounds like an idea, I'll have to give it a shot. To add a bit more information, I'm seeing a bunch of these changes happen during the boot process in init and I would assume the AVC is cleared between reboots - I've tweaked and added some things there for experimentation. I can boot my system up in permissive and see no problems, but when I restart it in enforcing I start seeing brand new policy violations, things I haven't seen before. It seems odd that the same boot sequence would result in such different behavior. > > -Aaron > > -----Original Message----- > From: Paul Moore [mailto:paul@xxxxxxxxxxxxxx] > Sent: Thursday, April 23, 2015 5:20 PM > To: Spector, Aaron > Cc: SELinux (selinux@xxxxxxxxxxxxx) > Subject: Re: Switching to enforcing mode introduces new policy issues? > > On Thu, Apr 23, 2015 at 5:14 PM, Spector, Aaron <Aaron_Spector@xxxxxxxxxx> wrote: >> Hi all, >> >> I’ve been working on writing my first policy for SELinux and I’ve hit >> a bit of a snag. I’ve gotten the policy clean in permissive mode, but >> when I swap the system over to enforcing, a whole new set of policy issues crop up. >> Everything I’ve read says this isn’t to be expected so I’m a bit >> confused as to what’s happening. > Try to use journalctl/dmesg to search either SELINUX_ERR or AVCs during boot time. > {snip} > >> So far what I’ve had to do to get around it is to add to my policy, >> but that doesn’t seem like that should be necessary. If the audit is >> clean in permissive mode, why isn’t it clean in enforcing? >> >> Is it possible that I’m missing policy deny audits when it’s in >> permissive mode? > > It's important to remember that when you are in permissive mode you will only see a given SELinux AVC denial *once*, after that it will not be reported until the AVC is reset. My two favorite ways of resetting the SELinux AVC are to run either 'load_policy' or toggle the system from permissive into enforcing and then back into permissive mode. Try that and I suspect that will solve your problem. > > -Paul > > -- > paul moore > www.paul-moore.com > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
