AVC Messages

AVC Messages

[Warren Lerner]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Hello All,

I am very new to SELinux.  I have some questions, and I hope you all
forgive me if they have been asked before.

1.  Is it possible to prevent the avc 'granted' or 'denied' messages
off?  If so, how?
2.  Can I write my own policy file from scratch and use only the
functions necessary for my purpose?
3.  Will SELinux be incorporated in to the next kernel release?


Thank you for your time in advance.

Warren Lerner

wdl@zai.com




[-- Attachment #2: Type: text/html, Size: 779 bytes --]

Re: AVC Messages

[Stephen Smalley]

On 17 Jun 2002, Warren Lerner wrote:

> I am very new to SELinux.  I have some questions, and I hope you all
> forgive me if they have been asked before.
>
> 1.  Is it possible to prevent the avc 'granted' or 'denied' messages
> off?  If so, how?

Granted messages are only generated if you have specified auditallow rules
in the configuration.  Denied messages are always generated unless you
specify auditdeny rules in the configuration.  A recently posted patch
(also committed to the sourceforge CVS tree) changes the 'auditdeny'
rules' to 'dontaudit' rules and provides more intuitive semantics.  See
the "Configuring the SELinux Policy" report for the precise syntax, or
look at examples in the example policy configuration.

> 2.  Can I write my own policy file from scratch and use only the
> functions necessary for my purpose?

Of course.  But writing a policy from scratch is nontrivial.  As with the
prior question, please read the aforementioned report.

> 3.  Will SELinux be incorporated in to the next kernel release?

The LSM kernel patch, on which SELinux is now based, will _hopefully_ be
incorporated into the 2.5 development series.  But obviously that isn't
under our control.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC Messages

[Russell Coker]

On Mon, 17 Jun 2002 19:44, Warren Lerner wrote:
> 1.  Is it possible to prevent the avc 'granted' or 'denied' messages
> off?  If so, how?

There is no way to turn them all off.  You can put in rules that match large 
numbers of them though, consider the following:
dontaudit domain file_type:{ file lnk_file fifo_file } create_file_perms;
dontaudit domain file_type:dir create_dir_perms;

But that's probably not what you really want.  When you put SE Linux in 
enforcing mode it's a real PITA to have things not work and no messages to 
explain why (I recently had some problems when I put in dontaudit rules for 
almost every action on /tmp and then X stopped working).

As for granted, avc_toggle is the only thing (AFAIK) that gets granted 
without you explicitely requesting it.

> 2.  Can I write my own policy file from scratch and use only the
> functions necessary for my purpose?

Sure!

> 3.  Will SELinux be incorporated in to the next kernel release?

I doubt it.  But hopefully LSM will be, and once your kernel has the base LSM 
code SE Linux will apply cleanly and easily.

I would prefer to see SE Linux stay out of the main kernel (for several 
reasons) and see just LSM go in.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC Messages

[Russell Coker]

On Mon, 17 Jun 2002 21:01, Stephen Smalley wrote:
> > 2.  Can I write my own policy file from scratch and use only the
> > functions necessary for my purpose?
>
> Of course.  But writing a policy from scratch is nontrivial.  As with the
> prior question, please read the aforementioned report.

Writing a policy starting from the sample policy is not trivial either.  Even 
starting from my sample policy (the NSA sample tree plus quite a number of 
things I've written) it still takes a bit of work.

I spent about 3 hours configuring the policy for the SE Debian machine at 
LinuxTag.  3 hours for an expert to configure a shell server with hostile 
users which is also a FTP server is not very good.

Things are being improved though, my latest sample policy tree is much more 
complete, and before OLS I aim to get all the features of the LinuxTag setup 
in my standard default policy and submitted to Stephen.

At that time a typical box with no unusual daemons could be setup by an 
expert in 10 minutes, and by a novice in a few hours.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

AVC messages

[Carlos Anisio Monteiro]

[-- Attachment #1: Type: text/plain, Size: 388 bytes --]

Hi. I again.

Please,

a)  I'd like to know in  what manner I can write the "avc messages" to a 
specific log file to SELinux, for instance, *selinux.log* file, and not 
in the messages log file.

b) How I do to that "avc messages" not are displayed in the console only 
in the selinux.log file ?


Thanks.

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil


[-- Attachment #2: Type: text/html, Size: 698 bytes --]

Re: AVC messages

[Stephen Smalley]

On Wed, 2003-11-12 at 11:33, Carlos Anisio Monteiro wrote:
> a)  I'd like to know in  what manner I can write the "avc messages" to
> a specific log file to SELinux, for instance, selinux.log file, and
> not in the messages log file.
> 
> b) How I do to that "avc messages" not are displayed in the console
> only in the selinux.log file ?

SELinux simply uses the existing kernel logging support.
You can set the log level via the 'avc_log_level=' kernel boot
parameter.  The default level is 4 (KERN_WARNING).  You
can alter the behavior of klogd or syslogd in the usual manner, see
their man pages.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC messages

[Dale Amon]

On Wed, Nov 12, 2003 at 02:33:16PM -0200, Carlos Anisio Monteiro wrote:
> a)  I'd like to know in  what manner I can write the "avc messages" to a 
> specific log file to SELinux, for instance, *selinux.log* file, and not 
> in the messages log file.
> 
> b) How I do to that "avc messages" not are displayed in the console only 
> in the selinux.log file ?

You might want to look into syslog-ng. It will let you send things
to log files based on filters.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.