Step-by-Step Guide To Creating SELinux Policy for Google Earth
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 20 20:32:28 UTC 2006
On Tue, 2006-06-20 at 15:46 -0400, Benjy Grogan wrote:
> How do you verify that you're using enableaudit.pp and not base.pp? I
> get these avcs after building and loading enableaudit but my Google
> Earth policy still gives off zero avcs after 20 minutes of use. Which
> would be great if it actually ran in enforcing mode.
>
> Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3836): avc:
> denied { siginh } for
> pid=7029 comm="setfiles" scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3837): avc:
> denied { rlimitinh } for pid=7029 comm="setfiles"
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:system_r:setfiles_t:s0 tclass=process
> Jun 20 15:18:03 localhost kernel: audit(1150831083.862:3838): avc:
> denied { noatsecure } for pid=7029 comm="setfiles"
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:system_r:setfiles_t:s0 tclass=process
Those avcs suggest that you are using enableaudit.pp, as they would
normally be silenced by dontaudit rules. Try running the program under
strace and checking the output to see precisely where it is failing.
One case where we get no auditing at all is the net_admin capability
check upon netlink recv; that will be fixed by a pending patch in the
audit tree. Hopefully googleearth doesn't need that though ;)
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list