Firefox on strict policy

[Ken]

I used grep as well.  Adding a boolean sounds like a great idea.

-Ken-

Daniel J Walsh wrote:
> Ken wrote:
>> Thank you for your response.  I inadvertently sent my response to the 
>> previous message to your address rather than the list, and later 
>> posted it to the list.  I noticed that you did not send this reply to 
>> the list so I did not know if it was appropriate to post my response 
>> on the list or not, and I chose not to.  I have already written a 
>> program/script which removed the"dontaudit" statements from the ".te" 
>> files in the policy while I was in the process of troubleshooting 
>> this problem. This was helpful, but I have noticed dontaudit 
>> statements occurring in other files as well, and I am interested in 
>> learning more about the enableaudit module.  I searched my hard drive 
>> for the source code and did not find it.  Where can I find the source 
>> code for the module?
>>
>> -Ken-
>>
> I have no problem if this is on list.  Problem is I am not sure which 
> list it belongs to.
> enableaudit.pp is created from the same source file as the rest of the 
> code.  Basically it uses the grep -v dontaudit out of the policy file 
> and rebuilds.  So I am sure you did the same thing.  The plan is to 
> eventually add some kind of boolean to turn on/off dontaudit rules.
>> Daniel J Walsh wrote:
>>> Ken wrote:
>>>> Thanks for the suggestion, but it was not labeling.  It appears to 
>>>> have had something to do with mls, although I have not had the time 
>>>> to figure out exactly what.  I changed all the mls levels to s0 and 
>>>> the problem went away.  It sure would be nice if there were a 
>>>> feature to disable all "dontaudit" statements for policy debugging.
>>>>
>>> semodule -b /usr/share/selinux/mls/enableaudit.pp
>>>
>>>> -Ken-
>>>>
>>>> Daniel J Walsh wrote:
>>>>> Ken wrote:
>>>>>> I am attempting to get a strict policy working on my FC-6 system 
>>>>>> (version 2.4.3-2.fc6).  I have successfully created a user 
>>>>>> account,  and I can log both the root and the user account into 
>>>>>> the GUI.  I am attempting to get Firefox to work and I am having 
>>>>>> difficulties.  If I click on the Firefox icon, I see the program 
>>>>>> listed as opening, and it stays that way for a few seconds and 
>>>>>> then disappears.  If I check the message log (var/log/messages), 
>>>>>> there are no messages (either avc or other) generated as a result 
>>>>>> of the attempt. This only happens when the policy is enforcing.  
>>>>>> When the policy is is not enforcing, Firefox loads properly -- 
>>>>>> also with no messages.  I have noticed that Firefox is not 
>>>>>> writing to its .mozilla folder when the policy is enforcing, and 
>>>>>> that it does write to several files in this folder when it loads 
>>>>>> properly.  This problem affects both my user account and the root 
>>>>>> account.  Can someone please explain why I am not receiving any 
>>>>>> error messages (or any messages at all), and let me know what 
>>>>>> needs to be changed in order to load Firefox?
>>>>>>
>>>>>> -- 
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> check /var/log/audit/audit.log for avc messages.
>>>>>
>>>>> I would guess you have a labeling problem on your home dir.
>>>>>
>>>>> restorecon -R -v ~/
>>>>>
>>>
>>>
>
>