Experiences with selinux enabled targetted on Fedora Core 3
Russell Coker
russell at coker.com.au
Mon Apr 18 10:36:40 UTC 2005
On Tuesday 22 February 2005 12:15, Valdis.Kletnieks at vt.edu wrote:
> At least at one point in time, I was seeing random avc errors on mount
> points that made absolutely no sense - I'd do an 'ls -Z' and it would look
> OK. Finally twigged in that I needed to unmount the file system, relabel
> the *directory*, and then remount. Seem to remember /usr/share and
> /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4
> different file systems on my box).
In those cases a dontaudit rule will usually do the job. If the file system
is not mounted then there's nothing that the application can usefully do
under the mount point and usually ENOENT and EACCESS usually get the same
code paths in most applications that try to open files.
grep dontaudit.*file_t.dir policy.conf
The above grep command will show you some of the dontaudit rules that have
already been put in place to deal with this. If there are more domains that
may get used early in the boot process to get such errors then let us know
and we'll write dontaudit rules.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list