* I think we need to quiet SELinux in log files on setattr.
@ 2012-08-12 11:36 Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2012-08-12 11:36 UTC (permalink / raw)
To: Eric Paris, Stephen Smalley, Paul Moore, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In openshift I am seeing lots of AVC's of SELinux errors that would definitely
be blocked by DAC. The problem is they end up as AVC's in the log files and
I really do not want to dontaudit them. Can't we move the SELinux check on
setattr to after the DAC Check. I believe the SELinux check should always
happen after the DAC Check, so we can write simpler SELinux policy.
Last nights logs for openshift, have lots of AVC's like the following. caused
by people installing apps think they attempt to change the attributes of
files/directories they do not own.
allow libra_t httpd_modules_t:dir setattr;
allow libra_t httpd_modules_t:file setattr;
allow libra_t lib_t:dir setattr;
allow libra_t root_t:dir setattr;
allow libra_t ssh_home_t:dir { read setattr };
allow libra_t usr_t:dir setattr;
allow libra_t usr_t:file setattr;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAnlSsACgkQrlYvE4MpobPwzwCfYtAhmbFp6gmpJ6Hg6UAOvQCO
V7gAn0uiplLNBwQu1rW8VUmGlxVUclce
=OUmh
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: I think we need to quiet SELinux in log files on setattr.
@ 2012-08-12 13:41 Eric Paris
0 siblings, 0 replies; 2+ messages in thread
From: Eric Paris @ 2012-08-12 13:41 UTC (permalink / raw)
To: sds, pmoore, selinux, dwalsh
[-- Attachment #1: Type: text/plain, Size: 1519 bytes --]
I started a patch for this. I'll work on it next week.
-Eric
-----Original Message-----
From: Daniel J Walsh [dwalsh@redhat.com]
Received: Sunday, 12 Aug 2012, 7:36am
To: Eric Paris [eparis@redhat.com]; Stephen Smalley [sds@tycho.nsa.gov]; Paul Moore [pmoore@redhat.com]; SELinux [selinux@tycho.nsa.gov]
Subject: I think we need to quiet SELinux in log files on setattr.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In openshift I am seeing lots of AVC's of SELinux errors that would definitely
be blocked by DAC. The problem is they end up as AVC's in the log files and
I really do not want to dontaudit them. Can't we move the SELinux check on
setattr to after the DAC Check. I believe the SELinux check should always
happen after the DAC Check, so we can write simpler SELinux policy.
Last nights logs for openshift, have lots of AVC's like the following. caused
by people installing apps think they attempt to change the attributes of
files/directories they do not own.
allow libra_t httpd_modules_t:dir setattr;
allow libra_t httpd_modules_t:file setattr;
allow libra_t lib_t:dir setattr;
allow libra_t root_t:dir setattr;
allow libra_t ssh_home_t:dir { read setattr };
allow libra_t usr_t:dir setattr;
allow libra_t usr_t:file setattr;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAnlSsACgkQrlYvE4MpobPwzwCfYtAhmbFp6gmpJ6Hg6UAOvQCO
V7gAn0uiplLNBwQu1rW8VUmGlxVUclce
=OUmh
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-12 13:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-12 11:36 I think we need to quiet SELinux in log files on setattr Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2012-08-12 13:41 Eric Paris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.