another selinux issue

Daniel J Walsh dwalsh at redhat.com
Tue Feb 12 14:52:56 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> On Feb 9, 2008 6:36 PM, Rahul Sundaram <sundaram at fedoraproject.org> wrote:
>> Valent Turkovic wrote:
>>
>>> Ok, so my system is still protected but I can't see the issues what
>>> happen becuase sel troubleshooter service crashes?
>>> To be honesti I prefer it this way :)
>> You can still see the issues in the logs. SELinux troubleshooter parses
>> the AVC denied messages from the logs that are usually cryptic and
>> attempts to convert them into a language that end users can more easily
>> understand while attempting to also provide suggestions on actions to
>> take. If you don't want that, you might as well as just remove the package.
>>
>>
>> Rahul
> 
> I was joking a bit :) I like selinux-troubleshooter features.
> 
> I was thinking of danger googles from Hitchikers guide to galaxy which
> in case od danger close their lids so you can't see the danges and are
> there for protected from it :) I draw a paralel to sel trobleshooter
> crashing :)
> 
> Valent.
> 

grep setroubleshoot /var/log/audit/audit.log

The setroubleshooter has nothing to do with SELinux protections.  It job
is to watch for SELinux errors (avc's in /var/log/audit/audit.log), and
then to try to translate them into actions that the user can execute.

The problem is if it sees an AVC about itself, it can try to act on it,
which might generate an AVC on itself, which it can act on, which might
generate and AVC on itself ...

So we have it commit suicide when it sees avc's on itself.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkexssgACgkQrlYvE4MpobNrgACgpdr7Bjll9OhfkOLK0IbYdgiK
/BcAnj14frbBSAbCeQleBVUuo+s0k497
=Wv0t
-----END PGP SIGNATURE-----




More information about the fedora-list mailing list