file, executable, and policy

[Stephen Smalley]

On 11/05/2012 11:53 AM, ken wrote:
>
>
> On 11/05/2012 08:29 AM Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 11/04/2012 06:03 PM, ken wrote:
>>> It's nice with selinux that a notification window pops up when a
>>> violation
>>> has been detected... and then that it's a simple matter to click on
>>> an icon
>>> to pop open a window with much more information.  But lacking in that
>>> window is critical information necessary to identify and then perhaps
>>> resolve the issue.
>>>
>>> Fundamentally the action of some executable has tried, against
>>> policy, to
>>> access some file.  So why doesn't this page list:
>>>
>>> - the name of the file, including full path, against which access was
>>> attempted;
>>>
>>> - the name of the executable, including full path, which tried to access
>>> that file; and
>>>
>>> -- text explaining the policy which was violated, or at least a link to
>>> it?
>>>
>>> I've had selinux installed for some years now (in permissive mode),
>>> but am
>>> considering uninstalling it because, lacking this obvious and critical
>>> information, there doesn't seem to be a point to it.
>>>
>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> Why doesn't SELinux give you full path?
>
> Yes, exactly.  This is critical information.  You'd think this would be
> displayed prominently and descriptively.

Dan discusses that issue in the blog entry he cited.  That was just the 
title of his blog entry; the URL was below it.

Anyway, SELinux includes the information it has available to it at the 
point the permission check occurs, and will further trigger an audit 
SYSCALL record if syscall auditing is enabled.  But a pathname is often 
not available to SELinux and the audit system will only collect the 
pathname if you have at least one audit rule configured.