Splunk Policy
Dominick Grift
dominick.grift at gmail.com
Wed Aug 28 17:16:47 UTC 2013
On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote:
> Please advise.
>
> Any help appreciated, thank you.
There are various things you may have overlooked:
Some things may be silently denied, thus not showing up in the audit.log
by default
To expose these, follow this procedure:
semodule -DB
reproduce issue
look for avc, user_avc and selinux_err messages in audit.log, and
in /var/log/messages
semodule -B
Make sure you arent overlooking selinux messages. Sometimes SELinux logs
to /var/log/messages but most of the time to /var/log/audit/audit.log
But if you use ausearch to parse the audit.log then use "-m
avc,user_avc,selinux_err", so that it looks for all kinds of selinux
related messages rather than only regular "avc denials"
When writing policy , one usually needs to do various rounds of testing
because not all issues may surface the time round of testing
Heres the procedure i usually follow ( in that order ):
1. test in permissive mode
2. test in permissive mode with semodule -DB
3. test in enforcing mode with semodule -DB
4. test in enforcing mode
Those are just some suggestions, but since i have little information
about your issues it is hard to determine if this will help
Some questions:
1. does it work in permissive mode?
2. does or do the processes run in the expected context(s)
3. can you enclose your source policy module for review?
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list