On 04/04/2015 03:05 AM, Joseph L. Casale wrote:
With the policy updates that came with centos 7.1 update, I am trying
to
update a few local policies we have but with `setenforce 0` I do not get
an avc at all when running my app, however enabling it and rerunning it
generates one, but without seeing them all that approach would be like
wack-a-mole.
The avc I am getting after setenforce 1 is run is:
type=AVC msg=audit(1428109185.330:570): avc: denied { execute_no_trans } for pid=3953
comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0"
ino=25468477 scontext=system_u:system_r:bacula_t:s0 tcontext=sytype=SYSCAL
Why does this not trigger a denial in permissive mode?
Thanks,
jlc
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.