How can I find out what all the SELinux transactions are?
Nifty Fedora Mitch
niftyfedora at niftyegg.com
Sat Oct 25 22:45:43 UTC 2008
On Fri, Oct 24, 2008 at 03:38:15PM -0700, Timothy Renner wrote:
>
> Is there any debug stream available that can tell me what is being
> processed by the SELinux system? Specifically, I'd like to be able to
> follow the trail from starting an executable, through its state
> transitions, what files it reads, and what their file contexts are, and
> what transitions happen as it calls external programs.
Most of this is visible in strace. Some post processing
will fill in the gaps.
Try something like:
strace -f -o /tmp/trace-my-subshell sh bash id program exit exit
Look at the system calls for mmap, fstat, setcon, open, read, write,
access, close, etc. to see what files it reads, attempts to read,
writes, attempts to write, libraries and so on.
After building a list of files you can use 'stat' to learn what the
context of each file is.
$ stat -Z /etc/shadow
$ stat -Z /etc/passwd
Most but not all interactions can just be seen with strace.
If you are more interested in tracing SELinux itself some
value may be found by running in permissive mode. Like tracing
SUID/SGID processes Hawthorne and Heisenberg issues come to play.
You will not be able to trace stuff beyond your level.
--
T o m M i t c h e l l
Found me a new hat, now what?
More information about the fedora-selinux-list
mailing list