5:38 p.m.
Is there any debug stream available that can tell me what is being
processed by the SELinux system? Specifically, I'd like to be able to
follow the trail from starting an executable, through its state
transitions, what files it reads, and what their file contexts are, and
what transitions happen as it calls external programs.
Thanks,
-Tim
5:28 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Timothy Renner wrote:
Is there any debug stream available that can tell me what is being
processed by the SELinux system? Specifically, I'd like to be able to
follow the trail from starting an executable, through its state
transitions, what files it reads, and what their file contexts are, and
what transitions happen as it calls external programs.
Thanks,
-Tim
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can probably setup
the auditing subsystem to track this. Not that I
would know how.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkC9L4ACgkQrlYvE4MpobP+WgCeJOjpkZH03GvokKX0H50GpVxL
2CMAn232/BX6lIe+fEO+G4ZzrC/Ltt0Q
=y8iY
-----END PGP SIGNATURE-----
5:45 p.m.
On Fri, Oct 24, 2008 at 03:38:15PM -0700, Timothy Renner wrote:
Is there any debug stream available that can tell me what is being
processed by the SELinux system? Specifically, I'd like to be able to
follow the trail from starting an executable, through its state
transitions, what files it reads, and what their file contexts are, and
what transitions happen as it calls external programs.
Most of this is visible in strace. Some post processing
will fill in the gaps.
Try something like:
strace -f -o /tmp/trace-my-subshell sh bash id program exit exit
Look at the system calls for mmap, fstat, setcon, open, read, write,
access, close, etc. to see what files it reads, attempts to read,
writes, attempts to write, libraries and so on.
After building a list of files you can use 'stat' to learn what the
context of each file is.
$ stat -Z /etc/shadow
$ stat -Z /etc/passwd
Most but not all interactions can just be seen with strace.
If you are more interested in tracing SELinux itself some
value may be found by running in permissive mode. Like tracing
SUID/SGID processes Hawthorne and Heisenberg issues come to play.
You will not be able to trace stuff beyond your level.
--
T o m M i t c h e l l
Found me a new hat, now what?
7:59 a.m.
On Fri, 2008-10-24 at 15:38 -0700, Timothy Renner wrote:
Is there any debug stream available that can tell me what is being
processed by the SELinux system? Specifically, I'd like to be able to
follow the trail from starting an executable, through its state
transitions, what files it reads, and what their file contexts are, and
what transitions happen as it calls external programs.
Options:
- Use system call auditing (see man pages for autrace, auditctl, auditd;
ask questions on linux-audit(a)redhat.com).
or
- Add auditallow rules to the domain for the program in order to trigger
auditing of permission grantings.
And of course, denials are already audited by SELinux by default.
--
Stephen Smalley
National Security Agency
5658
days inactive
5661
days old
selinux@lists.fedoraproject.org
3 comments
4 participants
participants (4)
-
Daniel J Walsh -
Nifty Fedora Mitch -
Stephen Smalley -
Timothy Renner