On 28 August 2013 19:16, Dominick Grift dominick.grift@gmail.com wrote:
On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote:
Please advise.
Any help appreciated, thank you.
There are various things you may have overlooked:
Some things may be silently denied, thus not showing up in the audit.log by default
To expose these, follow this procedure:
semodule -DB reproduce issue look for avc, user_avc and selinux_err messages in audit.log, and in /var/log/messages semodule -B
Make sure you arent overlooking selinux messages. Sometimes SELinux logs to /var/log/messages but most of the time to /var/log/audit/audit.log
But if you use ausearch to parse the audit.log then use "-m avc,user_avc,selinux_err", so that it looks for all kinds of selinux related messages rather than only regular "avc denials"
When writing policy , one usually needs to do various rounds of testing because not all issues may surface the time round of testing
Heres the procedure i usually follow ( in that order ):
- test in permissive mode
- test in permissive mode with semodule -DB
- test in enforcing mode with semodule -DB
- test in enforcing mode
Dominick,
You are the man!
I'm not sure what happened, but as you explained, yes there were several other messages in said logs.
I followed your methodology and saw another AVC denied message, added that and saw other Splunk related, but not denies.
Several restarts and a reboot and Splunk is still up.
THANK YOU THANK YOU THANK YOU!