I used grep as well. Adding a boolean sounds like a great idea.
-Ken-
Daniel J Walsh wrote:
Ken wrote:
> Thank you for your response. I inadvertently sent my response to the
> previous message to your address rather than the list, and later
> posted it to the list. I noticed that you did not send this reply to
> the list so I did not know if it was appropriate to post my response
> on the list or not, and I chose not to. I have already written a
> program/script which removed the"dontaudit" statements from the
".te"
> files in the policy while I was in the process of troubleshooting
> this problem. This was helpful, but I have noticed dontaudit
> statements occurring in other files as well, and I am interested in
> learning more about the enableaudit module. I searched my hard drive
> for the source code and did not find it. Where can I find the source
> code for the module?
>
> -Ken-
>
I have no problem if this is on list. Problem is I am not sure which
list it belongs to.
enableaudit.pp is created from the same source file as the rest of the
code. Basically it uses the grep -v dontaudit out of the policy file
and rebuilds. So I am sure you did the same thing. The plan is to
eventually add some kind of boolean to turn on/off dontaudit rules.
> Daniel J Walsh wrote:
>> Ken wrote:
>>> Thanks for the suggestion, but it was not labeling. It appears to
>>> have had something to do with mls, although I have not had the time
>>> to figure out exactly what. I changed all the mls levels to s0 and
>>> the problem went away. It sure would be nice if there were a
>>> feature to disable all "dontaudit" statements for policy
debugging.
>>>
>> semodule -b /usr/share/selinux/mls/enableaudit.pp
>>
>>> -Ken-
>>>
>>> Daniel J Walsh wrote:
>>>> Ken wrote:
>>>>> I am attempting to get a strict policy working on my FC-6 system
>>>>> (version 2.4.3-2.fc6). I have successfully created a user
>>>>> account, and I can log both the root and the user account into
>>>>> the GUI. I am attempting to get Firefox to work and I am having
>>>>> difficulties. If I click on the Firefox icon, I see the program
>>>>> listed as opening, and it stays that way for a few seconds and
>>>>> then disappears. If I check the message log (var/log/messages),
>>>>> there are no messages (either avc or other) generated as a result
>>>>> of the attempt. This only happens when the policy is enforcing.
>>>>> When the policy is is not enforcing, Firefox loads properly --
>>>>> also with no messages. I have noticed that Firefox is not
>>>>> writing to its .mozilla folder when the policy is enforcing, and
>>>>> that it does write to several files in this folder when it loads
>>>>> properly. This problem affects both my user account and the root
>>>>> account. Can someone please explain why I am not receiving any
>>>>> error messages (or any messages at all), and let me know what
>>>>> needs to be changed in order to load Firefox?
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> check /var/log/audit/audit.log for avc messages.
>>>>
>>>> I would guess you have a labeling problem on your home dir.
>>>>
>>>> restorecon -R -v ~/
>>>>
>>
>>