From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0LHPBhE018327 for ; Mon, 21 Jan 2013 12:25:11 -0500 Received: by mail-we0-f198.google.com with SMTP id r1so3137612wey.5 for ; Mon, 21 Jan 2013 09:25:07 -0800 (PST) From: Hung Truong MIME-Version: 1.0 Date: Mon, 21 Jan 2013 12:25:05 -0500 Message-ID: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> Subject: Turn off "dontaudit" rules in monolithic policy To: SELinux Content-Type: multipart/alternative; boundary=047d7b3438eaf9e36b04d3cfbd15 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --047d7b3438eaf9e36b04d3cfbd15 Content-Type: text/plain; charset=UTF-8 I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong --047d7b3438eaf9e36b04d3cfbd15 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

=C2=A0

I have a custom monolithic build based on RHEL6 policy.
I get this = error when try to turn off dontaudit rules:

$ semodule -DB

libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc= /selinux/targeted/modules/bmp/base.pp. (No such file or directory)

I= s there other way to turn off dontaudit rules in a monilithic policy?

=C2=A0

Many thanks,

--Hung Truong

--047d7b3438eaf9e36b04d3cfbd15-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MEJBMP009504 for ; Tue, 22 Jan 2013 09:19:11 -0500 Received: from stl-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by stl-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r0MEJ9xD013493 for ; Tue, 22 Jan 2013 08:19:09 -0600 From: "Vu, Joseph" To: Hung Truong , SELinux Subject: RE: Turn off "dontaudit" rules in monolithic policy Date: Tue, 22 Jan 2013 14:19:06 +0000 Message-ID: <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> In-Reply-To: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> Content-Type: multipart/alternative; boundary="_000_756D04455A661C4CA25DC5BA4902A7A70130D8XCHPHX204swnosboe_" MIME-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --_000_756D04455A661C4CA25DC5BA4902A7A70130D8XCHPHX204swnosboe_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hung, I have been trying to rebuild monolithic policy and was not able to. What version of SELinux Policy and RHT are you using? ________________________________ From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On B= ehalf Of Hung Truong Sent: Monday, January 21, 2013 11:25 AM To: SELinux Subject: Turn off "dontaudit" rules in monolithic policy I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/= selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong --_000_756D04455A661C4CA25DC5BA4902A7A70130D8XCHPHX204swnosboe_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hung,

I have been trying to rebuild mon= olithic policy and was not able to.

What version of SELinux Policy an= d RHT are you using?

From: owner-selinux@tycho.nsa.gov [= mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Hung Truong
Sent: Monday, January 21, 2013 11:25 AM
To: SELinux
Subject: Turn off "dontaudit" rules in monolithic policy

I have a custom monolithic build based on RHEL6 poli= cy.
I get this error when try to turn off dontaudit rules:

$ semodule -DB

libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/= selinux/targeted/modules/bmp/base.pp. (No such file or directory)

Is there other way to turn off dontaudit rules in a monilithic policy?

Many thanks,

--Hung Truong

--_000_756D04455A661C4CA25DC5BA4902A7A70130D8XCHPHX204swnosboe_-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MEW7mG010763 for ; Tue, 22 Jan 2013 09:32:07 -0500 Received: by mail-la0-f69.google.com with SMTP id ed20so2679365lab.4 for ; Tue, 22 Jan 2013 06:32:01 -0800 (PST) From: Hung Truong References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> In-Reply-To: <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> MIME-Version: 1.0 Date: Tue, 22 Jan 2013 09:31:59 -0500 Message-ID: Subject: RE: Turn off "dontaudit" rules in monolithic policy To: "Vu, Joseph" , SELinux Content-Type: multipart/alternative; boundary=047d7b603c1ed85b7904d3e1708c Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --047d7b603c1ed85b7904d3e1708c Content-Type: text/plain; charset=UTF-8 I am using version 3.7.19-155el6.6. *From:* Vu, Joseph [mailto:joseph.vu@boeing.com] *Sent:* Tuesday, January 22, 2013 9:19 AM *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules in monolithic policy Hung, I have been trying to rebuild monolithic policy and was not able to. What version of SELinux Policy and RHT are you using? ------------------------------ *From:* owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* Turn off "dontaudit" rules in monolithic policy I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong --047d7b603c1ed85b7904d3e1708c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I am using version 3.7.19-155el6.6.

=C2=A0

From: Vu, Joseph [mailto:joseph.vu@= boeing.com]
Sent: Tuesday, January 22, 2013 9:19 AM
To: Hung Truong; S= ELinux
Subject: RE: Turn off "dontaudit" rules in monol= ithic policy

=C2=A0

Hung,

=C2=A0

I have been trying to rebuild monolithic policy and was not able to.

What version of SELinux Policy= and RHT=C2=A0are you using?

=C2=A0

From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Hu= ng Truong
Sent: Monday, January 21, 2013 11:25 AM
To: SELinux
= Subject: Turn off "dontaudit" rules in monolithic policy

=C2=A0

I have a custom monolithic build based on RHEL6 policy.
I g= et this error when try to turn off dontaudit rules:

$ semodule -DB

libsemanage.semanage_link_sandbox: Could not acc= ess sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such f= ile or directory)

Is there other way to turn off dontaudit rules in = a monilithic policy?

=C2=A0

Many thanks,

--Hung Truong

--047d7b603c1ed85b7904d3e1708c-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MFB4Cx017498 for ; Tue, 22 Jan 2013 10:11:05 -0500 Message-ID: <50FEAC01.3080605@redhat.com> Date: Tue, 22 Jan 2013 10:10:57 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Hung Truong CC: "Vu, Joseph" , SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 09:31 AM, Hung Truong wrote: > I am using version 3.7.19-155el6.6. > > > > *From:*Vu, Joseph [mailto:joseph.vu@boeing.com > ] *Sent:* Tuesday, January 22, 2013 9:19 AM > *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules in > monolithic policy > > > > Hung, > > > > I have been trying to rebuild monolithic policy and was not able to. > > What version of SELinux Policy and RHT are you using? > > > > -------------------------------------------------------------------------------- > > *From:*owner-selinux@tycho.nsa.gov > [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong *Sent:* > Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* Turn off > "dontaudit" rules in monolithic policy > > > > I have a custom monolithic build based on RHEL6 policy. I get this error > when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > Why not compile two policies one with and one without dontaudit rules? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP W10An1cOKmfs7qCG8xEKaEwjVguLMLZU =MkCV -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MFEUAI017835 for ; Tue, 22 Jan 2013 10:14:30 -0500 Received: by mail-fa0-f69.google.com with SMTP id v1so8858231fav.8 for ; Tue, 22 Jan 2013 07:14:27 -0800 (PST) From: Hung Truong References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> <50FEAC01.3080605@redhat.com> In-Reply-To: <50FEAC01.3080605@redhat.com> MIME-Version: 1.0 Date: Tue, 22 Jan 2013 10:14:25 -0500 Message-ID: <91c6e6b735a86f02709d38f526230fb3@mail.gmail.com> Subject: RE: Turn off "dontaudit" rules in monolithic policy To: Daniel J Walsh Cc: SELinux Content-Type: text/plain; charset=UTF-8 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Could you tell me how to compile a policy without dontaudit rules? Thanks. Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | www.tridsys.com Notice: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely for review and use by the named recipient. Any unauthorized review, use or distribution is strictly prohibited. If you have received this message in error, please advise the sender by reply email and delete the message. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, January 22, 2013 10:11 AM To: Hung Truong Cc: Vu, Joseph; SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 09:31 AM, Hung Truong wrote: > I am using version 3.7.19-155el6.6. > > > > *From:*Vu, Joseph [mailto:joseph.vu@boeing.com > ] *Sent:* Tuesday, January 22, 2013 9:19 > AM > *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules > in monolithic policy > > > > Hung, > > > > I have been trying to rebuild monolithic policy and was not able to. > > What version of SELinux Policy and RHT are you using? > > > > ---------------------------------------------------------------------- > ---------- > > *From:*owner-selinux@tycho.nsa.gov > > [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong > *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* > Turn off "dontaudit" rules in monolithic policy > > > > I have a custom monolithic build based on RHEL6 policy. I get this > error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > Why not compile two policies one with and one without dontaudit rules? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP W10An1cOKmfs7qCG8xEKaEwjVguLMLZU =MkCV -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MGsbbI027607 for ; Tue, 22 Jan 2013 11:54:37 -0500 Received: by mail-la0-f71.google.com with SMTP id fr10so1560495lab.10 for ; Tue, 22 Jan 2013 08:54:21 -0800 (PST) From: Hung Truong References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <756D04455A661C4CA25DC5BA4902A7A70130D8@XCH-PHX-204.sw.nos.boeing.com> <50FEAC01.3080605@redhat.com> <91c6e6b735a86f02709d38f526230fb3@mail.gmail.com> <50FEAEE1.9000002@redhat.com> In-Reply-To: <50FEAEE1.9000002@redhat.com> MIME-Version: 1.0 Date: Tue, 22 Jan 2013 11:54:18 -0500 Message-ID: <5d39ee58920a6a7a54682d2c584f05cf@mail.gmail.com> Subject: RE: Turn off "dontaudit" rules in monolithic policy To: Daniel J Walsh Cc: refpolicy@oss1.tresys.com, selinux@tycho.nsa.gov Content-Type: text/plain; charset=UTF-8 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This works!!! BTW, there was a typo. The command should be: make enableaudit I really appreciate your help. Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | www.tridsys.com Notice: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely for review and use by the named recipient. Any unauthorized review, use or distribution is strictly prohibited. If you have received this message in error, please advise the sender by reply email and delete the message. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, January 22, 2013 10:23 AM To: Hung Truong Subject: Re: Turn off "dontaudit" rules in monolithic policy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 10:14 AM, Hung Truong wrote: > Could you tell me how to compile a policy without dontaudit rules? > Thanks. > make enabelaudit I believe. > > Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, > Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 > | Fairfax, VA > 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | > www.tridsys.com > > > > Notice: The information contained in this email message is considered > confidential and proprietary to the sender and is intended solely for > review and use by the named recipient. Any unauthorized review, use > or distribution is strictly prohibited. If you have received this > message in error, please advise the sender by reply email and delete the > message. > > > -----Original Message----- From: Daniel J Walsh > [mailto:dwalsh@redhat.com] > Sent: Tuesday, January 22, 2013 10:11 AM To: Hung Truong Cc: Vu, > Joseph; SELinux Subject: Re: Turn off "dontaudit" rules in monolithic > policy > > > > On 01/22/2013 09:31 AM, Hung Truong wrote: >> I am using version 3.7.19-155el6.6. > > > >> *From:*Vu, Joseph [mailto:joseph.vu@boeing.com >> ] *Sent:* Tuesday, January 22, 2013 9:19 >> AM >> *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules >> in monolithic policy > > > >> Hung, > > > >> I have been trying to rebuild monolithic policy and was not able to. > >> What version of SELinux Policy and RHT are you using? > > > >> --------------------------------------------------------------------- >> - >> ---------- > >> *From:*owner-selinux@tycho.nsa.gov >> >> [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong >> *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* >> Turn off "dontaudit" rules in monolithic policy > > > >> I have a custom monolithic build based on RHEL6 policy. I get this >> error when try to turn off dontaudit rules: > >> $ semodule -DB > > >> libsemanage.semanage_link_sandbox: Could not access sandbox base file >> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or >> directory) > >> Is there other way to turn off dontaudit rules in a monilithic policy? > > > >> Many thanks, > >> --Hung Truong > > Why not compile two policies one with and one without dontaudit rules? > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+ruEACgkQrlYvE4MpobPNkACggndNE6JYVYFJIWRJ4UAjHEIw WnQAn1iAHwPv3UtoiTt3MOSYOgnLtGOv =/+7i -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MI34hM006693 for ; Tue, 22 Jan 2013 13:03:04 -0500 Message-ID: <50FED43F.9030909@tresys.com> Date: Tue, 22 Jan 2013 13:02:39 -0500 From: "Christopher J. PeBenito" MIME-Version: 1.0 To: Hung Truong CC: SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> In-Reply-To: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov To clarify terminology, if you're using semodule, you're using a modular policy, not a monolithic policy. A monolithic policy would be fully compiled on the development machine, and the policy.27 would be deployed to the running machine. A modular policy deploys the *.pp files to the running machine and links them together to make a policy.27. On 01/21/13 12:25, Hung Truong wrote: > I have a custom monolithic build based on RHEL6 policy. > I get this error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MICKwX007284 for ; Tue, 22 Jan 2013 13:12:20 -0500 Received: by mail-wi0-f197.google.com with SMTP id hm6so9077915wib.8 for ; Tue, 22 Jan 2013 10:12:16 -0800 (PST) From: Hung Truong References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <50FED43F.9030909@tresys.com> In-Reply-To: <50FED43F.9030909@tresys.com> MIME-Version: 1.0 Date: Tue, 22 Jan 2013 13:12:15 -0500 Message-ID: <8f15e085e4c5384591bf85e5d1ee68fa@mail.gmail.com> Subject: RE: Turn off "dontaudit" rules in monolithic policy To: "Christopher J. PeBenito" Cc: SELinux Content-Type: text/plain; charset=UTF-8 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Thanks for the clarification. I thought the "semodule -DB" could be used for monolithic policy as well. Daniel Walsh gave a solution by compiling a policy without dontaudit rules and that worked perfectly fine for me. But, just curious if there is an equivalent command to turn off dontaudit for monolithic policy at runtime? --Hung Truong -----Original Message----- From: Christopher J. PeBenito [mailto:cpebenito@tresys.com] Sent: Tuesday, January 22, 2013 1:03 PM To: Hung Truong Cc: SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy To clarify terminology, if you're using semodule, you're using a modular policy, not a monolithic policy. A monolithic policy would be fully compiled on the development machine, and the policy.27 would be deployed to the running machine. A modular policy deploys the *.pp files to the running machine and links them together to make a policy.27. On 01/21/13 12:25, Hung Truong wrote: > I have a custom monolithic build based on RHEL6 policy. > I get this error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.31.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r0MIKuru008415 for ; Tue, 22 Jan 2013 13:20:56 -0500 Message-ID: <50FED87F.4050202@tresys.com> Date: Tue, 22 Jan 2013 13:20:47 -0500 From: "Christopher J. PeBenito" MIME-Version: 1.0 To: Hung Truong CC: SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy References: <3086262d0228a121663cb87f5d77a07a@mail.gmail.com> <50FED43F.9030909@tresys.com> <8f15e085e4c5384591bf85e5d1ee68fa@mail.gmail.com> In-Reply-To: <8f15e085e4c5384591bf85e5d1ee68fa@mail.gmail.com> Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov No, a monolithic policy can't be managed like that at run time. The policy is supposed to be static. You'd have to use make enableaudit when you build it, as Dan previously mentioned, and redeploy the policy. On 01/22/13 13:12, Hung Truong wrote: > Thanks for the clarification. I thought the "semodule -DB" could be used > for monolithic policy as well. > > Daniel Walsh gave a solution by compiling a policy without dontaudit rules > and that worked perfectly fine for me. But, just curious if there is an > equivalent command to turn off dontaudit for monolithic policy at runtime? > > > --Hung Truong > > > -----Original Message----- > From: Christopher J. PeBenito [mailto:cpebenito@tresys.com] > Sent: Tuesday, January 22, 2013 1:03 PM > To: Hung Truong > Cc: SELinux > Subject: Re: Turn off "dontaudit" rules in monolithic policy > > To clarify terminology, if you're using semodule, you're using a modular > policy, not a monolithic policy. A monolithic policy would be fully > compiled on the development machine, and the policy.27 would be deployed > to the running machine. A modular policy deploys the *.pp files to the > running machine and links them together to make a policy.27. > > On 01/21/13 12:25, Hung Truong wrote: >> I have a custom monolithic build based on RHEL6 policy. >> I get this error when try to turn off dontaudit rules: >> >> $ semodule -DB >> >> >> libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) >> >> Is there other way to turn off dontaudit rules in a monilithic policy? >> >> >> >> Many thanks, >> >> --Hung Truong >> > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.