Auditd & Strict Policy 1.19
George J. Jahchan
SELinux at Compucenter.org
Thu May 26 06:31:20 UTC 2005
As you correctly mentioned, auditd worked by adding audit and audit_control to
the capability section of flask/access_vectors.
Noticed that audit.log shows "avc: denied" kernel events that are not reported
in messages. Are these suppressed by the dontaudit rules in the policy?
Thank you for your help.
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Stephen
Smalley
Sent: Friday, May 20, 2005 5:17 PM
To: George J. Jahchan
Cc: Fedora SE Linux List
Subject: Re: Auditd & Strict Policy 1.19
On Fri, 2005-05-20 at 18:24 +0300, George J. Jahchan wrote:
> Followed your instructions, adding 'audit write & audit_control' at the end of
> the capability section in the policy/flask/access_vectors elicits the
following
> error message when making the policy:
That's audit_write and audit_control - two permissions, not three.
> ... too many permissions to fit in an access vector.
Off-by-one bug in checkpolicy, fixed after FC3, but shouldn't matter as
you only need two permissions here.
> Bearing in mind that the machines are live production hosts, how do you
> recommend we address this (from the available choices below)?
>
> 1) For a limited period of time (until FC4 is released), we can live with
having
> to switch to permissive mode in order to start the audit daemon, and revert
back
> to enforcing mode after it starts. The hosts are not taken down that often.
>
> 2) We can upgrade to FC4 strict policy, with no assurance that it will work or
> not cause other problems.
>
> 3) We can upgrade to pre-release FC4, again with no assurance that it will
work
> or will not introduce new weaknesses.
I've sent (via separate email) a copy of our current
policy/flask/security_classes, policy/flask/access_vectors,
policy/domains/program/auditd.te, and
policy/file_contexts/program/auditd.fc, so you can at least try those to
see if they resolve your issue for auditd (and they shouldn't impact
anything else). If that resolves your problem, then feel free to stay
with FC3 until FC4 is out (schedule says June 6).
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list