* setroubleshoot problems with MLS policy in enforcing mode
@ 2008-08-27 19:58 Robert Story
2008-09-04 13:06 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Robert Story @ 2008-08-27 19:58 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]
Hi,
I'm having some issues with enforcing mode for the MLS policy. I've
been able to get around a few issues by simply feeding avcs through
audit2allow, but this is and MLS range issue, so I think something else
is needed... Here is the AVC
type=AVC msg=audit(1219865658.259:224923): avc: denied { write } for pid=1332 comm="audispd" path="socket:[7463]" dev=sockfs ino=7463 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:system_r:audisp_t:s0-s15:c0.c1023 tclass=unix_stream_socket
This message is repeated quite frequently, driving the load up and
filling the log file. The audispd processing is running at SystemHigh,
and I haven't found a way to kill it without dropping to permissive
mode. (Any suggestions on that appreciated as well.. "newrole -r
sysadm_t; newrole -l s15; kill 1332" didn't work..)
I'm wondering if audisp/setroubleshoot are needed for auditing to work,
or if they are helps for X applications, in which case they aren't
needed at all, since X doesn't run in MLS enforcing.
--
Robert Story
SPARTA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: setroubleshoot problems with MLS policy in enforcing mode
2008-08-27 19:58 setroubleshoot problems with MLS policy in enforcing mode Robert Story
@ 2008-09-04 13:06 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2008-09-04 13:06 UTC (permalink / raw)
To: Robert Story; +Cc: SE Linux
Robert Story wrote:
> Hi,
>
> I'm having some issues with enforcing mode for the MLS policy. I've
> been able to get around a few issues by simply feeding avcs through
> audit2allow, but this is and MLS range issue, so I think something else
> is needed... Here is the AVC
>
> type=AVC msg=audit(1219865658.259:224923): avc: denied { write } for pid=1332 comm="audispd" path="socket:[7463]" dev=sockfs ino=7463 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:system_r:audisp_t:s0-s15:c0.c1023 tclass=unix_stream_socket
>
> This message is repeated quite frequently, driving the load up and
> filling the log file. The audispd processing is running at SystemHigh,
> and I haven't found a way to kill it without dropping to permissive
> mode. (Any suggestions on that appreciated as well.. "newrole -r
> sysadm_t; newrole -l s15; kill 1332" didn't work..)
>
> I'm wondering if audisp/setroubleshoot are needed for auditing to work,
> or if they are helps for X applications, in which case they aren't
> needed at all, since X doesn't run in MLS enforcing.
>
>
They are not needed for auditing to work. I am not sure setroubleshoot
would even be legal in an MLS environment since it could leak sensitive
information.
If you add a module with
policy_module(myaudit, 1.0)
gen_require(`
type audisp_t;
')
mls_socket_write_all_levels(audisp_t)
Does this solve the problem?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-09-04 13:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-27 19:58 setroubleshoot problems with MLS policy in enforcing mode Robert Story
2008-09-04 13:06 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.