anyway to reverse a dontaudit rule?

anyway to reverse a dontaudit rule?

[Joy Latten]

Is there a way to reverse a dontaudit rule without having to
modify and recompile base policy? 
I need to see the audit message to help determine what permissions
are being denied for a particular application.

Regards,
Joy


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: anyway to reverse a dontaudit rule?

[Karl MacMillan]

Joy Latten wrote:
> Is there a way to reverse a dontaudit rule without having to
> modify and recompile base policy? 
> I need to see the audit message to help determine what permissions
> are being denied for a particular application.
> 

No - that is why the enableaudit.pp base policy is provided in 
/usr/share/selinux/[policyname]/enableaudit.pp. Install that with:

semodule -b path_to_enableaudit

and you should see all denials.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [redhat-lspp] Re: anyway to reverse a dontaudit rule?

[Christopher J. PeBenito]

On Wed, 2006-11-15 at 17:06 -0500, Karl MacMillan wrote:
> Joy Latten wrote:
> > Is there a way to reverse a dontaudit rule without having to
> > modify and recompile base policy? 
> > I need to see the audit message to help determine what permissions
> > are being denied for a particular application.
> > 
> 
> No - that is why the enableaudit.pp base policy is provided in 
> /usr/share/selinux/[policyname]/enableaudit.pp. Install that with:
> 
> semodule -b path_to_enableaudit
> 
> and you should see all denials.

Yes.  Eventually all of the dontaudits will be made conditional,
controlled by a Boolean.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: anyway to reverse a dontaudit rule?

[Stephen Smalley]

On Wed, 2006-11-15 at 17:06 -0500, Karl MacMillan wrote:
> Joy Latten wrote:
> > Is there a way to reverse a dontaudit rule without having to
> > modify and recompile base policy? 
> > I need to see the audit message to help determine what permissions
> > are being denied for a particular application.
> > 
> 
> No - that is why the enableaudit.pp base policy is provided in 
> /usr/share/selinux/[policyname]/enableaudit.pp. Install that with:
> 
> semodule -b path_to_enableaudit
> 
> and you should see all denials.

...that would have been suppressed by dontaudit rules in the base
module.  But not dontaudit rules in non-base modules.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.