From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t3OCHarj030732 for ; Fri, 24 Apr 2015 08:17:36 -0400 Message-ID: <553A3446.8010809@redhat.com> Date: Fri, 24 Apr 2015 14:17:10 +0200 From: Miroslav Grepl Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 To: "Spector, Aaron" Subject: Re: Switching to enforcing mode introduces new policy issues? References: <363d72e72db54ed2a93f39f76d1811fd@MIVEXUSR1N01.corpzone.internalzone.com> In-Reply-To: Cc: "SELinux \(selinux@tycho.nsa.gov\)" List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 04/24/2015 06:12 AM, Spector, Aaron wrote: > That sounds like an idea, I'll have to give it a shot. To add a bit more information, I'm seeing a bunch of these changes happen during the boot process in init and I would assume the AVC is cleared between reboots - I've tweaked and added some things there for experimentation. I can boot my system up in permissive and see no problems, but when I restart it in enforcing I start seeing brand new policy violations, things I haven't seen before. It seems odd that the same boot sequence would result in such different behavior. > > -Aaron > > -----Original Message----- > From: Paul Moore [mailto:paul@paul-moore.com] > Sent: Thursday, April 23, 2015 5:20 PM > To: Spector, Aaron > Cc: SELinux (selinux@tycho.nsa.gov) > Subject: Re: Switching to enforcing mode introduces new policy issues? > > On Thu, Apr 23, 2015 at 5:14 PM, Spector, Aaron wrote: >> Hi all, >> >> I’ve been working on writing my first policy for SELinux and I’ve hit >> a bit of a snag. I’ve gotten the policy clean in permissive mode, but >> when I swap the system over to enforcing, a whole new set of policy issues crop up. >> Everything I’ve read says this isn’t to be expected so I’m a bit >> confused as to what’s happening. > Try to use journalctl/dmesg to search either SELINUX_ERR or AVCs during boot time. > {snip} > >> So far what I’ve had to do to get around it is to add to my policy, >> but that doesn’t seem like that should be necessary. If the audit is >> clean in permissive mode, why isn’t it clean in enforcing? >> >> Is it possible that I’m missing policy deny audits when it’s in >> permissive mode? > > It's important to remember that when you are in permissive mode you will only see a given SELinux AVC denial *once*, after that it will not be reported until the AVC is reset. My two favorite ways of resetting the SELinux AVC are to run either 'load_policy' or toggle the system from permissive into enforcing and then back into permissive mode. Try that and I suspect that will solve your problem. > > -Paul > > -- > paul moore > www.paul-moore.com > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.