FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-26-2011, 03:24 AM
Mark Montague
 
Default Where does Fedora 16 log boot-time SELinux denials?

Where does Fedora 16 log boot-time SELinux denial messages? Under
Fedora 14 and previous (for sure) and under Fedora 15 (I think),
messages were logged via syslog and appeared in /var/log/messages until
auditd started. However, this is apparently not happening with Fedora
16 -- how can I get these denial messages?

Details:

I have a Fedora 16 server install (no X Windows and with network.service
replacing NetworkManager.service, but otherwise nearly an out-of-the-box
installation), and everything works OK until I do "setsebool -P
secure_mode_insmod=on" and reboot. At that point -- not unexpectedly --
a number of kernel modules fail to load. For example, from
/var/log/messages:

Nov 26 03:35:32 f16dev1 nfs-lock.preconfig[897]: FATAL: Error inserting
lockd (/lib/modules/3.1.2-1.fc16.x86_64/kernel/fs/lockd/lockd.ko):
Operation not permitted

Network interfaces such as eth0 also fail to come up. However, there
are no SELinux denial messages logged to /var/log/messages, to any other
file in /var/log, or to /var/log/audit/audit.log.

Setting secure_mode_insmod=off and rebooting results in the system
coming back up with all services started and no error messages. So I'm
sure there should be some SELinux denials when I boot with
secure_mode_insmod=off that I'm not seeing.

I've searched the web and read the auditd and systemd man and web pages
without finding a solution. Any idea how to get the SELinux denial
messages that get generated before auditd is started?

--
Mark Montague
mark@catseye.org

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-28-2011, 03:22 AM
Mark Montague
 
Default Where does Fedora 16 log boot-time SELinux denials?

On November 25, 2011 23:24 , Mark Montague <mark@catseye.org> wrote:
> Where does Fedora 16 log boot-time SELinux denial messages? Under
> Fedora 14 and previous (for sure) and under Fedora 15 (I think),
> messages were logged via syslog and appeared in /var/log/messages until
> auditd started. However, this is apparently not happening with Fedora
> 16 -- how can I get these denial messages?

I found the answer: the messages were not being generated due to
dontaudit rules. For some reason, I had thought that the denial
messages I was expecting were generated under previous versions of
Fedora, and so I did not consider dontaudit rules right away.

Following the advice in Dan's article (
http://danwalsh.livejournal.com/11673.html ) to run "semodule -DB"
caused the desired denial messages to be logged.

--
Mark Montague
mark@catseye.org

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org