On May 4, 2015 7:51 PM, "William Roberts" <bill.c.roberts@xxxxxxxxx> wrote:
>
> Outside of the fact that I see Linux will
Darn talk to text.. I see selinux
only print the first denial and permissive and perhaps your logs are rolling over or something like that I have no idea. SELinux and the audit framework in general will never miss a message with the exception of a full message queue or some exceptional case.
>
> Perhaps sds can shed some light on it that I'm not aware of
>
> On May 4, 2015 7:43 PM, "Zhi Xin" <xinzhi@xxxxxxxxxxx> wrote:
>>
>> Hi William,
>>
>>
>>
>> In my experience, under permissive, we can indeed get more avc log than enforcing but it still cannot give all the deny log in one time. Usually, it require 2-3 round of policy adding for a complicated issue even under permissive.
>>
>>
>>
>> Any clue about this ?
>>
>>
>>
>> Thanks.
>>
>> Sincerely
>>
>> Alan Xin
>>
>>
>>
>> From: William Roberts [mailto:bill.c.roberts@xxxxxxxxx]
>> Sent: 2015年5月5日 10:37
>> To: Zhi Xin
>> Cc: selinux@xxxxxxxxxxxxx
>> Subject: Re: Give out all the avc logs in ome time
>>
>>
>>
>> Are you running in permissive or enforcing mode? Usually if you're running in enforcing mode the daemon will not be able to perform all of its tasks that it normally would thus your missing messages
>>
>> On May 4, 2015 7:11 PM, "Zhi Xin" <xinzhi@xxxxxxxxxxx> wrote:
>>
>> Hi All,
>>
>>
>>
>> In my daily work, I’m always solving the selinux deny as presented by avc log. But I found that, for one particular test, selinux cannot give me all the avc deny log in one time, which has slowed down a lot of my daily work.
>>
>>
>>
>> For example, I trigger a process called test_daemon to access a /dev/test_device in a particular test. Totally, it should have “open, read, write, ioctl” for permissions. But for one time test, I only catch “open, read” related avc log. And only after I have merged a patch to give the “open” and “read” permission, I rerun the test. The “write ioctl” related avc logs start to occur. So my question is how can I get “open, read, write, ioctl” avc log in one test.
>>
>>
>>
>> I have done a little study on this issue. selinux avc log depends on audit subsystem. In /kernel/kernel/audit.c, some code has indicated that we may lost the records in five ways:
>>
>> 115/* Records can be lost in several ways:
>>
>> 116 0) [suppressed in audit_alloc]
>>
>> 117 1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
>>
>> 118 2) out of memory in audit_log_move [alloc_skb]
>>
>> 119 3) suppressed due to audit_rate_limit
>>
>> 120 4) suppressed due to audit_backlog_limit
>>
>> 121*/
>>
>>
>>
>> So is this the root-cause of my issue ? How can I modify kernel code to archieve my purpose or there already is a open/off switch to help me on giving all the logs in one time test ?
>>
>>
>>
>> Thanks
>>
>> Sincerely
>>
>> Alan Xin
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.