<tt>Daniel J Walsh <dwalsh@redhat.com> wrote on 03/30/2006 10:06:30 AM: > Michael C Thompson wrote: > > > > Hey Steve, > > > > Under the FC5 MLS policy, what is the magic incantation of SELinux > > role and MLS range that will make auditctl go? I've tried staff_r, > > with staff_t and SystemLow, which I did not expect to work (and it > > didn't). I've also tried sysadm_[rt] and secadm_[rt] with both > > SystemHigh and SystemLow. So far, no combination has lead to auditctl > > being usable. secadm & sysadm attempts resolve in a direct bash denial > > message, whereas staff _can_ execute audit, but I get the messages: > > "Error sending (rule/watch) list request (Permission denied)" > > > > Anyone know the magic or is this a policy bug? > > > secadm_r > > newrole -r secadm_r -l SystemHigh</tt> <tt>Transcript:</tt> <tt>-bash-3.1# newrole -r secadm_r -l SystemHigh</tt> <tt>Authenticating root.</tt> <tt>Password:</tt> <tt>[root@dyn94141107 ~]# auditctl -l</tt> <tt>bash: /sbin/auditctl: Permission denied</tt> <tt>[root@dyn94141107 ~]# ls -alZ /sbin/auditctl</tt> <tt>-rwxr-x--- root root system_u:object_r:auditctl_exec_t:SystemLow /sbin/auditctl</tt> <tt>[root@dyn94141107 ~]# id</tt> <tt>uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:secadm_r:secadm_t:SystemHigh</tt> <tt> Its clear from here this is not a DAC issue, but at this point my grasp of the policy is lacking. My policy packages are:</tt> <tt>selinux-policy-2.2.23-15</tt> <tt>selinux-policy-targeted-2.2.23-15</tt> <tt>selinux-policy-mls-2.2.23-15</tt> <tt>Am I out of date with policy?</tt> <tt>Thanks,</tt> <tt>Mike</tt>