<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 28 August 2013 19:16, Dominick <span style class="">Grift</span> <span dir="ltr"><<a href="mailto:dominick.grift@gmail.com" target="_blank"><span style class="">dominick</span>.<span style class="">grift</span>@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote:<br>
<br>
> Please advise.<br>
><br>
> Any help appreciated, thank you.<br>
<br>
</div>There are various things you may have overlooked:<br>
<br>
Some things may be silently denied, thus not showing up in the audit.log<br>
by default<br>
<br>
To expose these, follow this procedure:<br>
<br>
semodule -DB<br>
reproduce issue<br>
look for avc, user_avc and selinux_err messages in audit.log, and<br>
in /var/log/messages<br>
semodule -B<br>
<br>
Make sure you arent overlooking selinux messages. Sometimes SELinux logs<br>
to /var/log/messages but most of the time to /var/log/audit/audit.log<br>
<br>
But if you use ausearch to parse the audit.log then use "-m<br>
avc,user_avc,selinux_err", so that it looks for all kinds of selinux<br>
related messages rather than only regular "avc denials"<br>
<br>
When writing policy , one usually needs to do various rounds of testing<br>
because not all issues may surface the time round of testing<br>
<br>
Heres the procedure i usually follow ( in that order ):<br>
<br>
1. test in permissive mode<br>
2. test in permissive mode with semodule -DB<br>
3. test in enforcing mode with semodule -DB<br>
4. test in enforcing mode<br>
<h1 class=""><span id="btAsinTitle">Principles of Information Security</span></h1><br>
Those are just some suggestions, but since i have little information<br>
about your issues it is hard to determine if this will help<br>
<br>
Some questions:<br>
<br>
1. does it work in permissive mode?<br>
2. does or do the processes run in the expected context(s)<br>
3. can you enclose your source policy module for review?<br>
<span class=""><font color="#888888"><br>
</font></span></blockquote><div>Thank you!<br><br></div><div>I will look into the above tomorrow at the office, I wasn't aware of looking at other messages.<br><br></div><div>1. Yes, it runs fine in permissive mode.<br>
<br></div><div>2. Yes, the processes are in the expected context.<br><br></div><div>3. Yes, I can. Pardon my ignorance, but you will then need *.<span style class="">fc</span>, *.<span style class="">te</span>, *.if, *.sh files yes?<br>
<br></div><div>Thank you again, I can't wait to carry on getting to this tomorrow, I'll advise ASAP.<br></div></div></div></div>