Re: setroubleshoot problems with MLS policy in enforcing mode

[Daniel J Walsh <dwalsh@redhat.com>]

Robert Story wrote:
> Hi,
> 
> I'm having some issues with enforcing mode for the MLS policy. I've
> been able to get around a few issues by simply feeding avcs through
> audit2allow, but this is and MLS range issue, so I think something else
> is needed...  Here is the AVC
> 
> type=AVC msg=audit(1219865658.259:224923): avc:  denied  { write } for  pid=1332 comm="audispd" path="socket:[7463]" dev=sockfs ino=7463 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:system_r:audisp_t:s0-s15:c0.c1023 tclass=unix_stream_socket
> 
> This message is repeated quite frequently, driving the load up and
> filling the log file. The audispd processing is running at SystemHigh,
> and I haven't found a way to kill it without dropping to permissive
> mode. (Any suggestions on that appreciated as well.. "newrole -r
> sysadm_t; newrole -l s15; kill 1332" didn't work..)
> 
> I'm wondering if audisp/setroubleshoot are needed for auditing to work,
> or if they are helps for X applications, in which case they aren't
> needed at all, since X doesn't run in MLS enforcing.
> 
> 
They are not needed for auditing to work.  I am not sure setroubleshoot
would even be legal in an MLS environment since it could leak sensitive
information.

If you add a module with

policy_module(myaudit, 1.0)
gen_require(`
	type audisp_t;
')

mls_socket_write_all_levels(audisp_t)

Does this solve the problem?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.