Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Where does Fedora 16 log boot-time SELinux denials? (http://www.linux-archive.org/fedora-selinux-support/602933-where-does-fedora-16-log-boot-time-selinux-denials.html)

Mark Montague 11-26-2011 03:24 AM

Where does Fedora 16 log boot-time SELinux denials?
 
Where does Fedora 16 log boot-time SELinux denial messages? Under
Fedora 14 and previous (for sure) and under Fedora 15 (I think),
messages were logged via syslog and appeared in /var/log/messages until
auditd started. However, this is apparently not happening with Fedora
16 -- how can I get these denial messages?

Details:

I have a Fedora 16 server install (no X Windows and with network.service
replacing NetworkManager.service, but otherwise nearly an out-of-the-box
installation), and everything works OK until I do "setsebool -P
secure_mode_insmod=on" and reboot. At that point -- not unexpectedly --
a number of kernel modules fail to load. For example, from
/var/log/messages:

Nov 26 03:35:32 f16dev1 nfs-lock.preconfig[897]: FATAL: Error inserting
lockd (/lib/modules/3.1.2-1.fc16.x86_64/kernel/fs/lockd/lockd.ko):
Operation not permitted

Network interfaces such as eth0 also fail to come up. However, there
are no SELinux denial messages logged to /var/log/messages, to any other
file in /var/log, or to /var/log/audit/audit.log.

Setting secure_mode_insmod=off and rebooting results in the system
coming back up with all services started and no error messages. So I'm
sure there should be some SELinux denials when I boot with
secure_mode_insmod=off that I'm not seeing.

I've searched the web and read the auditd and systemd man and web pages
without finding a solution. Any idea how to get the SELinux denial
messages that get generated before auditd is started?

--
Mark Montague
mark@catseye.org

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Mark Montague 11-28-2011 03:22 AM

Where does Fedora 16 log boot-time SELinux denials?
 
On November 25, 2011 23:24 , Mark Montague <mark@catseye.org> wrote:
> Where does Fedora 16 log boot-time SELinux denial messages? Under
> Fedora 14 and previous (for sure) and under Fedora 15 (I think),
> messages were logged via syslog and appeared in /var/log/messages until
> auditd started. However, this is apparently not happening with Fedora
> 16 -- how can I get these denial messages?

I found the answer: the messages were not being generated due to
dontaudit rules. For some reason, I had thought that the denial
messages I was expecting were generated under previous versions of
Fedora, and so I did not consider dontaudit rules right away.

Following the advice in Dan's article (
http://danwalsh.livejournal.com/11673.html ) to run "semodule -DB"
caused the desired denial messages to be logged.

--
Mark Montague
mark@catseye.org

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.