file, executable, and policy

[Dave Quigley]

On 11/4/2012 6:03 PM, ken wrote:
> It's nice with selinux that a notification window pops up when a
> violation has been detected... and then that it's a simple matter to
> click on an icon to pop open a window with much more information.  But
> lacking in that window is critical information necessary to identify and
> then perhaps resolve the issue.
>
> Fundamentally the action of some executable has tried, against policy,
> to access some file.  So why doesn't this page list:
>
> - the name of the file, including full path, against which access was
> attempted;
>
> - the name of the executable, including full path, which tried to access
> that file; and
>
> -- text explaining the policy which was violated, or at least a link to it?
>
> I've had selinux installed for some years now (in permissive mode), but
> am considering uninstalling it because, lacking this obvious and
> critical information, there doesn't seem to be a point to it.
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

To answer your questions in order

1) It will give you the name of the target file. However unless you have 
full syscall auditing turned on the audit subsystem doesn't have the 
full path information. You could turn it on but it introduces some 
overhead. To do this you just have to include one rule with auditctl or 
you can put it in /etc/audit/audit.rules

2) It tells you the program that tried the access it is in the comm and 
exe field of the AVC audit message. Comm will be just the command and 
exe will be the full path.

3) The policy it violated was that it attempted an access that isn't in 
policy. SELinux is deny by default. It will tell you what access it 
attempted. The avc record will start with denied { permission } then 
will specify scontext which is the source context, tcontext which is the 
target context, and tclass is the object class.

Dave