Hi All, In my daily work, I’m always solving the selinux deny as presented by avc log. But I found that, for one particular test, selinux cannot give me all the avc deny log in one time, which has slowed down a lot of my daily work. For example, I trigger a process called test_daemon to access a /dev/test_device in a particular test. Totally, it should have “open, read, write, ioctl” for permissions. But for one time test, I only catch “open, read” related avc log. And only after I have merged a patch to give the “open” and “read” permission, I rerun the test. The “write ioctl” related avc logs start to occur. So my question is how can I get “open, read, write, ioctl” avc log in one test. I have done a little study on this issue. selinux avc log depends on audit subsystem. In /kernel/kernel/audit.c, some code has indicated that we may lost the records in five ways: 115/* Records can be lost in several ways: 116 0) [suppressed in audit_alloc] 117 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] 118 2) out of memory in audit_log_move [alloc_skb] 119 3) suppressed due to audit_rate_limit 120 4) suppressed due to audit_backlog_limit 121*/ So is this the root-cause of my issue ? How can I modify kernel code to archieve my purpose or there already is a open/off switch to help me on giving all the logs in one time test ? Thanks Sincerely Alan Xin |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
