Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: user guide drafts: "Linux Permissions" and "Manual Pages for Services"
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Thu, 13 Nov 2008 07:59:44 -0500
"Possible Causes of Silent Denials"
> Bugs in applications may cause a lot of SELinux denials, but such "Applications and system library functions will often probe for access beyond what they require in order to perform their task. In order to maintain least privilege without filling the audit logs with avc denials from harmless application probing, the policy can silence avc denials without allowing a permission by using a dontaudit rule. Such dontaudit rules are common in the standard policy based on experience with applications."
> For "After running semodule -DB, you can try again to exercise the application that was encountering a permission denial and see whether any SELinux denials are reported that are relevant to the application. Care must be taken in deciding which of these denials should be allowed, as some should in fact be ignored and handled via dontaudit rules."
> To rebuild "This will restore the policy to its original state."
> For a full list of dontaudit rules, run the sesearch --dontaudit > > Refer to Section 7.3.5, “Raw Audit Messages� and Section 7.3.6, “sealert > Messages� for information about analyzing denials. > > After resolving any issues found by removing dontaudit rules, or if > disabling these rules did not produce denials for your situation, check > standard Linux permissions. [rest of Linux Permissions content]. > > Thanks. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 13 Nov 2008 - 08:01:06 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |