Re: Switching to enforcing mode introduces new policy issues?

[Miroslav Grepl <mgrepl@redhat.com>]

On 04/24/2015 06:12 AM, Spector, Aaron wrote:
> That sounds like an idea, I'll have to give it a shot. To add a bit more information, I'm seeing a bunch of these changes happen during the boot process in init and I would assume the AVC is cleared between reboots - I've tweaked and added some things there for experimentation. I can boot my system up in permissive and see no problems, but when I restart it in enforcing I start seeing brand new policy violations, things I haven't seen before. It seems odd that the same boot sequence would result in such different behavior.
> 
> -Aaron
> 
> -----Original Message-----
> From: Paul Moore [mailto:paul@paul-moore.com] 
> Sent: Thursday, April 23, 2015 5:20 PM
> To: Spector, Aaron
> Cc: SELinux (selinux@tycho.nsa.gov)
> Subject: Re: Switching to enforcing mode introduces new policy issues?
> 
> On Thu, Apr 23, 2015 at 5:14 PM, Spector, Aaron <Aaron_Spector@mcafee.com> wrote:
>> Hi all,
>>
>> I’ve been working on writing my first policy for SELinux and I’ve hit 
>> a bit of a snag. I’ve gotten the policy clean in permissive mode, but 
>> when I swap the system over to enforcing, a whole new set of policy issues crop up.
>> Everything I’ve read says this isn’t to be expected so I’m a bit 
>> confused as to what’s happening.
> 

Try to use journalctl/dmesg to search either SELINUX_ERR or AVCs during
boot time.

> {snip}
> 
>> So far what I’ve had to do to get around it is to add to my policy, 
>> but that doesn’t seem like that should be necessary. If the audit is 
>> clean in permissive mode, why isn’t it clean in enforcing?
>>
>> Is it possible that I’m missing policy deny audits when it’s in 
>> permissive mode?
> 
> It's important to remember that when you are in permissive mode you will only see a given SELinux AVC denial *once*, after that it will not be reported until the AVC is reset.  My two favorite ways of resetting the SELinux AVC are to run either 'load_policy' or toggle the system from permissive into enforcing and then back into permissive mode.  Try that and I suspect that will solve your problem.
> 
> -Paul
> 
> --
> paul moore
> www.paul-moore.com
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 


-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.