Auditd & Strict Policy 1.19

Stephen Smalley sds at
Fri May 20 14:17:22 UTC 2005

On Fri, 2005-05-20 at 18:24 +0300, George J. Jahchan wrote:
> Followed your instructions, adding 'audit write & audit_control' at the end of
> the capability section in the policy/flask/access_vectors elicits the following
> error message when making the policy:

That's audit_write and audit_control - two permissions, not three.

> ... too many permissions to fit in an access vector.

Off-by-one bug in checkpolicy, fixed after FC3, but shouldn't matter as
you only need two permissions here.

> Bearing in mind that the machines are live production hosts, how do you
> recommend we address this (from the available choices below)?
> 1) For a limited period of time (until FC4 is released), we can live with having
> to switch to permissive mode in order to start the audit daemon, and revert back
> to enforcing mode after it starts. The hosts are not taken down that often.
> 2) We can upgrade to FC4 strict policy, with no assurance that it will work or
> not cause other problems.
> 3) We can upgrade to pre-release FC4, again with no assurance that it will work
> or will not introduce new weaknesses.

I've sent (via separate email) a copy of our current
policy/flask/security_classes, policy/flask/access_vectors,
policy/domains/program/auditd.te, and
policy/file_contexts/program/auditd.fc, so you can at least try those to
see if they resolve your issue for auditd (and they shouldn't impact
anything else).  If that resolves your problem, then feel free to stay
with FC3 until FC4 is out (schedule says June 6).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list