Splunk Policy
Robert Gabriel
ephemeric at gmail.com
Fri Aug 30 08:12:47 UTC 2013
On 28 August 2013 19:16, Dominick Grift <dominick.grift at gmail.com> wrote:
> On Wed, 2013-08-28 at 18:53 +0200, Robert Gabriel wrote:
>
> > Please advise.
> >
> > Any help appreciated, thank you.
>
> There are various things you may have overlooked:
>
> Some things may be silently denied, thus not showing up in the audit.log
> by default
>
> To expose these, follow this procedure:
>
> semodule -DB
> reproduce issue
> look for avc, user_avc and selinux_err messages in audit.log, and
> in /var/log/messages
> semodule -B
>
> Make sure you arent overlooking selinux messages. Sometimes SELinux logs
> to /var/log/messages but most of the time to /var/log/audit/audit.log
>
> But if you use ausearch to parse the audit.log then use "-m
> avc,user_avc,selinux_err", so that it looks for all kinds of selinux
> related messages rather than only regular "avc denials"
>
> When writing policy , one usually needs to do various rounds of testing
> because not all issues may surface the time round of testing
>
> Heres the procedure i usually follow ( in that order ):
>
> 1. test in permissive mode
> 2. test in permissive mode with semodule -DB
> 3. test in enforcing mode with semodule -DB
> 4. test in enforcing mode
Dominick,
You are the man!
I'm not sure what happened, but as you explained, yes there were several
other messages in said logs.
I followed your methodology and saw another AVC denied message, added that
and saw other Splunk related, but not denies.
Several restarts and a reboot and Splunk is still up.
THANK YOU THANK YOU THANK YOU!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130830/99c535e3/attachment.html>
More information about the selinux
mailing list