On Fri, Oct 24, 2008 at 03:38:15PM -0700, Timothy Renner wrote:
Is there any debug stream available that can tell me what is being
processed by the SELinux system? Specifically, I'd like to be able to
follow the trail from starting an executable, through its state
transitions, what files it reads, and what their file contexts are, and
what transitions happen as it calls external programs.
Most of this is visible in strace. Some post processing
will fill in the gaps.
Try something like:
strace -f -o /tmp/trace-my-subshell sh bash id program exit exit
Look at the system calls for mmap, fstat, setcon, open, read, write,
access, close, etc. to see what files it reads, attempts to read,
writes, attempts to write, libraries and so on.
After building a list of files you can use 'stat' to learn what the
context of each file is.
$ stat -Z /etc/shadow
$ stat -Z /etc/passwd
Most but not all interactions can just be seen with strace.
If you are more interested in tracing SELinux itself some
value may be found by running in permissive mode. Like tracing
SUID/SGID processes Hawthorne and Heisenberg issues come to play.
You will not be able to trace stuff beyond your level.
T o m M i t c h e l l
Found me a new hat, now what?