Hello,

i am not sure, if this is really blocking or just logging:

Feb 16 14:02:32 mordor setroubleshoot: #012 SELinux
hindert /usr/sbin/saslauthd (saslauthd_t) "read" am Zugriff auf
<Unknown> (usr_t).#012 For complete SELinux messages. run sealert
-l fd56262f-2db7-46cd-9771-7a4fcc546531 Feb 16 14:15:00 mordor

setroubleshoot: #012 SELinux hindert /usr/libexec/postfix/smtpd
(postfix_smtpd_t) "write" am Zugriff auf <Unknown>
(postgrey_spool_t).#012 For complete SELinux messages. run sealert
-l 0b218c2c-40b1-4d64-821f-5f1a991157d3 Feb 16 14:15:19 mordor

setroubleshoot: #012 SELinux hindert /usr/lib/AntiVir/antivir
(amavis_t) "getattr" am Zugriff auf /sys (sysfs_t).#012 For
complete SELinux messages. run sealert -l
ee5a81fa-7b17-4ffa-8fac-cea3b325a614 Feb 16 14:36:57 mordor

setroubleshoot: #012 SELinux hindert /usr/sbin/saslauthd
(saslauthd_t) "read" am Zugriff auf <Unknown> (usr_t).#012 For
complete SELinux messages. run sealert -l
fd56262f-2db7-46cd-9771-7a4fcc546531 Feb 16 15:06:05 mordor

setroubleshoot: #012 SELinux hindert /usr/sbin/saslauthd
(saslauthd_t) "read" am Zugriff auf <Unknown> (usr_t).#012 For
complete SELinux messages. run sealert -l
fd56262f-2db7-46cd-9771-7a4fcc546531

Sorry for the german versions, so i can translate all of those in one:

setroubleshoot: #012 SELinux stops [application] (xxxx_t) "whatever"
access to <Unknown> (usr_t)...

the rest of the lines is written in better english than mine.

Now the question: i run selinux in permissive-mode, as otherwise i
always have dozens of megs of log from aide. I thought, permissive-mode
never blocks, just reports.

So, now, what is fact? is this blocking or just saying that it is
blocking?

Thanks for your response.

Roger

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Sat, 2008-02-16 at 15:19 +0100, Roger Grosswiler wrote:
> So, now, what is fact? is this blocking or just saying that it is
> blocking?


My understanding is that you are correct about this. "Permissive" only
logs these denials of what _would_ happen should you switch the SELinux
configuration to "enforcing" mode. However, the access is still granted.

I'm not much of an SELinux expert though; and would appreciate the
further advice of one who is.
--
Peter Gordon (codergeek42)
GnuPG Public Key ID: 0xFFC19479 / Fingerprint:
DD68 A414 56BD 6368 D957 9666 4268 CB7A FFC1 9479


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Peter Gordon wrote:

On Sat, 2008-02-16 at 15:19 +0100, Roger Grosswiler wrote:

So, now, what is fact? is this blocking or just saying that it is
blocking?


My understanding is that you are correct about this. "Permissive" only
logs these denials of what _would_ happen should you switch the SELinux
configuration to "enforcing" mode. However, the access is still granted.

Further to what Peter said:
Because selinux is permitting the first item, sometimes this leads to a
second or more selinux denial warning. If selinux were enforcing, you
would only see the first message, where it blocked a certain access -
end of story.


What does sestatus say ?
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

Some issues might be resolved with restorecon: {don't apply, recurse,
verbose}

# restorecon -nrv /

, which could let you see files with bad contexts as a diagnostic,
before actually doing {suggested best to do during reboot}:


http://docs.fedoraproject.org/selinux-faq-fc5/#id2961890

DaveT.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list