9:58 p.m.
After recent updates Mozilla web browser will not start while in
enforcing mode. The troubling thing is that it does not produce any avc
denied messages. Further, after switching to permissive mode, starting
Mozilla web browser, exiting, generating allow rules from the avc denied
messages, incorporating them into the policy, doing a 'make reload' and
trying Mozilla again in enforcing mode it still will not start and
does not produce and avc denied messages.
Considering that the recommended method for generating policy is to
"debug it into existence" i.e. run things and look at the avc denied
messages, this lack of avc denied message indicates there is something
fundamentally wrong here and indicates a mode of failure we may not have
considered before.
Or is it just a bug?
Thanks for any help,
Richard Hally
kernel 2.6.7.-1.448
selinux-policy-strict-sources-1.13.8-1
sysklogd-1.4.1-20
10:52 p.m.
Richard Hally wrote:
After recent updates Mozilla web browser will not start while in
enforcing mode. The troubling thing is that it does not produce any avc
denied messages. Further, after switching to permissive mode, starting
Mozilla web browser, exiting, generating allow rules from the avc denied
messages, incorporating them into the policy, doing a 'make reload' and
trying Mozilla again in enforcing mode it still will not start and
does not produce and avc denied messages.
Considering that the recommended method for generating policy is to
"debug it into existence" i.e. run things and look at the avc denied
messages, this lack of avc denied message indicates there is something
fundamentally wrong here and indicates a mode of failure we may not have
considered before.
Or is it just a bug?
Thanks for any help,
Richard Hally
kernel 2.6.7.-1.448
selinux-policy-strict-sources-1.13.8-1
sysklogd-1.4.1-20
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sorry for the reply to my own message.
After remembering (and using) the 'enableaudit' option for making
policy, the needed avc denied messages to generate the allow rules were
produced.
But this raises the larger question of how are we going to handle the
dontaudit rules in the future? And how do we distinguish between those
that are for "harmless" denials and those that are not?
Richard Hally
3:26 a.m.
On Fri, 25 Jun 2004 13:52, Richard Hally <rhally(a)mindspring.com> wrote:
Sorry for the reply to my own message.
After remembering (and using) the 'enableaudit' option for making
policy, the needed avc denied messages to generate the allow rules were
produced.
But this raises the larger question of how are we going to handle the
dontaudit rules in the future? And how do we distinguish between those
that are for "harmless" denials and those that are not?
Mozilla is a difficult program in this regard. In normal operation it will
try to stat() many files and read many directories that you don't want it to
so dontaudit rules are needed. Then when you get mis-labelled files and
directories you don't see any AVC messages because of the dontaudit rules.
It's especially difficult because it's a program that users run. If the same
problem occurs with a daemon then the person who runs it can just load a new
policy to investigate it. The person who has a Mozilla program often does
not have this option.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
7238
days inactive
7238
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Richard Hally -
Richard Hally -
Russell Coker