avc granted - dontaudit?
Rejy M Cyriac
rcyriac at redhat.com
Tue Jun 11 06:56:22 UTC 2013
On 06/11/2013 01:40 AM, m.roth at 5-cent.us wrote:
> CentOS 6.4.
> I'm getting those annoying avc granted's in connection with matlab, still
> (again?). I see in audit.log it saying "allowed". Would dontaudit shut
> that up? The one doc I've found seemed to suggest it would silently deny,
> but said nothing about silently allow.
>
> mark
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Mark,
The 'dontaudit' policy rules are for those *denials* that need not be
logged.
In the current case, what you are seeing is the effect of 'auditallow'
policy rules, which specifies that when certain accesses are allowed,
due to the existence of corresponding 'allow' rules, log that the access
was granted. The 'auditallow' policy rules by themselves do not grant
the access, they only log when the access is granted.
You can see the existing 'auditallow' rules in the policy by running:
sesearch --auditallow
These special rules are put in place so that certain *major* access
allows are logged, especially accesses that would have serious security
implications.
It is recommended not to remove the existing 'auditallow' policy rules.
However, if you need to remove them, I believe that you would have to
remove them from the base policy source, and recompile the base policy.
--
Regards,
Rejy M Cyriac (rmc)
More information about the selinux
mailing list