dumb auditdeny question

dumb auditdeny question

[Magosányi Árpád]

Hi!

I wanted to get rid of the following message:

 avc:  denied  { create } for  pid=400 exe=/usr/bin/vim
scontext=kernel_u:kernel_r:kernel_d tcontext=kernel_u:object_r:tcb_t
tclass=file

so I have the following in my policy:

auditdeny kernel_d tcb_t:{ file lnk_file sock_file fifo_file chr_file }
        { ioctl append rename create };

But I still get the message.

What did I do wrong?

-- 
GNU GPL: csak tiszta forrásból


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dumb auditdeny question

[Faye Coker]

On Wed, 11 Feb 2004 19:03, Magosányi Árpád wrote:

> I wanted to get rid of the following message:
>
>  avc:  denied  { create } for  pid=400 exe=/usr/bin/vim
> scontext=kernel_u:kernel_r:kernel_d tcontext=kernel_u:object_r:tcb_t
> tclass=file
>
> so I have the following in my policy:
>
> auditdeny kernel_d tcb_t:{ file lnk_file sock_file fifo_file chr_file }
>         { ioctl append rename create };
>
> But I still get the message.
> What did I do wrong?

Change the "auditdeny" to "dontaudit".

What you are saying with the auditdeny line is "audit a denial of these 
operations" { ioctl, append, rename, create }.  dontaudit means don't audit 
what you have listed.

Use of auditdeny tends to cause confusion, so use dontaudit instead  :)


faye

-- 
Faye Coker
faye@lurking-grue.org



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dumb auditdeny question

[David Caplan]

Magosányi Árpád wrote:
> Hi!
> 
> I wanted to get rid of the following message:
> 
>  avc:  denied  { create } for  pid=400 exe=/usr/bin/vim
> scontext=kernel_u:kernel_r:kernel_d tcontext=kernel_u:object_r:tcb_t
> tclass=file
> 
> so I have the following in my policy:
> 
> auditdeny kernel_d tcb_t:{ file lnk_file sock_file fifo_file chr_file }
>         { ioctl append rename create };
> 
> But I still get the message.
> 
> What did I do wrong?
> 

You want to use the "dontaudit" command.  Auditdeny says to generate a 
message only when permission was denied on the specified access.  So you 
probably want:

dontaudit kernel_d tcb_t:{ file lnk_file sock_file fifo_file chr_file } 
            { ioctl append rename create };

It's not a dumb question; the auditdeny keyword is confusing.  That's 
one reason the dontaudit syntax was introduced.  I believe in the base 
(NSA) policy there are no uses of auditdeny.

David

__________________________________

David Caplan     410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.