<div dir="ltr">On 28 August 2013 19:16, Dominick <span style class="">Grift</span> <span dir="ltr"><<a href="mailto:dominick.grift@gmail.com" target="_blank"><span style class="">dominick</span>.<span style class="">grift</span>@gmail.com</a>></span> wrote:<br>
<div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote:<br>
<br>
> Please advise.<br>
><br>
> Any help appreciated, thank you.<br>
<br>
</div>There are various things you may have overlooked:<br>
<br>
Some things may be silently denied, thus not showing up in the audit.log<br>
by default<br>
<br>
To expose these, follow this procedure:<br>
<br>
semodule -DB<br>
reproduce issue<br>
look for avc, user_avc and selinux_err messages in audit.log, and<br>
in /var/log/messages<br>
semodule -B<br>
<br>
Make sure you arent overlooking selinux messages. Sometimes SELinux logs<br>
to /var/log/messages but most of the time to /var/log/audit/audit.log<br>
<br>
But if you use ausearch to parse the audit.log then use "-m<br>
avc,user_avc,selinux_err", so that it looks for all kinds of selinux<br>
related messages rather than only regular "avc denials"<br>
<br>
When writing policy , one usually needs to do various rounds of testing<br>
because not all issues may surface the time round of testing<br>
<br>
Heres the procedure i usually follow ( in that order ):<br>
<br>
1. test in permissive mode<br>
2. test in permissive mode with semodule -DB<br>
3. test in enforcing mode with semodule -DB<br>
4. test in enforcing mod<font color="#888888">e</font></blockquote><div><br>Dominick,<br><br></div><div>You are the man!<br><br></div><div>I'm not sure what happened, but as you explained, yes there were several other messages in said logs.<br>
<br></div><div>I followed your methodology and saw another <span style class="">AVC</span> denied message, added that and saw other <span style class="">Splunk</span> related, but not denies.<br><br></div><div>Several restarts and a reboot and <span style class="">Splunk</span> is still up.<br>
<br></div><div>THANK YOU THANK YOU THANK YOU!<br></div></div></div></div>