From: Daniel J Walsh <dwalsh@redhat.com>
To: Eric Paris <eparis@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Paul Moore <pmoore@redhat.com>, SELinux <selinux@tycho.nsa.gov>
Subject: I think we need to quiet SELinux in log files on setattr.
Date: Sun, 12 Aug 2012 07:36:11 -0400 [thread overview]
Message-ID: <5027952B.8060405@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In openshift I am seeing lots of AVC's of SELinux errors that would definitely
be blocked by DAC. The problem is they end up as AVC's in the log files and
I really do not want to dontaudit them. Can't we move the SELinux check on
setattr to after the DAC Check. I believe the SELinux check should always
happen after the DAC Check, so we can write simpler SELinux policy.
Last nights logs for openshift, have lots of AVC's like the following. caused
by people installing apps think they attempt to change the attributes of
files/directories they do not own.
allow libra_t httpd_modules_t:dir setattr;
allow libra_t httpd_modules_t:file setattr;
allow libra_t lib_t:dir setattr;
allow libra_t root_t:dir setattr;
allow libra_t ssh_home_t:dir { read setattr };
allow libra_t usr_t:dir setattr;
allow libra_t usr_t:file setattr;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAnlSsACgkQrlYvE4MpobPwzwCfYtAhmbFp6gmpJ6Hg6UAOvQCO
V7gAn0uiplLNBwQu1rW8VUmGlxVUclce
=OUmh
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2012-08-12 11:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-12 11:36 Daniel J Walsh [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-08-12 13:41 I think we need to quiet SELinux in log files on setattr Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5027952B.8060405@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=pmoore@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.