AVC denied messages from booting?
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 8 19:44:57 UTC 2004
Richard Hally wrote:
>I'm running in SELinux permissive mode and after booting up to runlevel 5
>and logging in, I look at /var/log/messages and see quite few AVC denied
>messages. Is this happening on other peoples systems?
>
>
In a non enforcing mode you will get a lot more messages than enforcing
mode, since the kernel is just logging that if you were in enforcing the
access would have been denier.
So if an app was going to try to read a bunch of files in a directory,
and got a denial on read it would stop in enforcing mode, in non
enforcing mode it will get a denial for each file in the directory that
it reads.
>I have been downloading all the latest policy (and related) packages and the
>rest of the /development tree for the last few weeks but it doesn't look
>like there are fewer AVC denied messages each time I boot with each new
>kernel and policy. Should I expect the default policy to allow me to boot an
>"Everything installed" /development updated system with no AVC denied
>messages? At some point in the near future?
>
>
That is the goal. This of course would be if the user and apps don't
try to do something that they are not allowed to do. IE if you install
a fresh system in enforcinf mode and
cat /etc/shadow you will generate an denial message.
>More generally, what is the Red Hat plan and objective for developing the
>policy they package?
>
>
>
>Thanks for any help,
>
>Richard Hally
>
>
>
More information about the selinux
mailing list