Re: Splunk Policy

On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote: There are various things you may have overlooked: Some things may be silently denied, thus not showing up in the audit.log by default To expose these, follow this procedure: semodule -DB reproduce issue look for avc, user_avc and selinux_err messages in audit.log, and in /var/log/messages semodule -B Make sure you arent overlooking selinux messages. Sometimes SELinux logs to /var/log/messages but most of the time to /var/log/audit/audit.log But if you use ausearch to parse the audit.log then use "-m avc,user_avc,selinux_err", so that it looks for all kinds of selinux related messages rather than only regular "avc denials" When writing policy , one usually needs to do various rounds of testing because not all issues may surface the time round of testing Heres the procedure i usually follow ( in that order ): 1. test in permissive mode 2. test in permissive mode with semodule -DB 3. test in enforcing mode with semodule -DB 4. test in enforcing mode Those are just some suggestions, but since i have little information about your issues it is hard to determine if this will help Some questions: 1. does it work in permissive mode? 2. does or do the processes run in the expected context(s) 3. can you enclose your source policy module for review?