[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Experiences with selinux enabled targetted on Fedora Core 3



On Tuesday 22 February 2005 12:15, Valdis Kletnieks vt edu wrote:
> At least at one point in time, I was seeing random avc errors on mount
> points that made absolutely no sense - I'd do an 'ls -Z' and it would look
> OK. Finally twigged in that I needed to unmount the file system, relabel
> the *directory*, and then remount.  Seem to remember /usr/share and
> /usr/local biting me that way (/, /usr, /usr/local, and /usr/share are 4
> different file systems on my box).

In those cases a dontaudit rule will usually do the job.  If the file system 
is not mounted then there's nothing that the application can usefully do 
under the mount point and usually ENOENT and EACCESS usually get the same 
code paths in most applications that try to open files.

grep dontaudit.*file_t.dir policy.conf

The above grep command will show you some of the dontaudit rules that have 
already been put in place to deal with this.  If there are more domains that 
may get used early in the boot process to get such errors then let us know 
and we'll write dontaudit rules.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]