3

I do test driven development where all my APIs are tested with a batch of tests. Initially, I ran the tests in ‘permissive’ mode in selinux. So, I decided to enable selinux to ‘enforcing’ mode. Obviously, I started getting AVC denials in the audit.log and half of the tests were failing. So, I used audit2allow to create a module for all the failed stuff (many denials) in the audit.log and did semodule –i to incorporate the new module into the kernel. However there are a few tests that are still failing in permissive mode but it’s not writing what’s wrong to either the audit.log or messages file, so I’m clueless on fixing this. When I put the server in ‘permissive’ mode, the tests that failed in ‘enforcing’ mode now works flawlessly. How do I go about troubleshooting this?

usa ims
  • 361
  • 1
  • 7
  • 14

1 Answers1

3

You need to disable the dontaudit rules. You can do that using semanage(8).

From the manpage:


Disable/Enable dontaudit rules in policy
semanage dontaudit [-S store] [ on | off ]

You can also rebuild the whole policy without dontaudit rules, but that's possibly not what you want. The procedure is explained in detail in the Fedora documentation, and mentioned in the semodule(8) manpage.

You can also search for dontaudit in specific modules using sesearch(1)

dawud
  • 15,096
  • 3
  • 42
  • 61
  • 1
    This is really something that few are aware of, unfortunately. There is basically a bunch of SELinux denials that occur on almost any command run and are mostly bogus denials that can be safely ignored in 99% of the cases. To prevent your audit logs from filling up with this junk, they are blanketly labeled as "don't audit these." However, when you are writing your own policy, you have to turn the "dontaudit" off in order to make sure that you are not missing anything. – mricon Apr 09 '13 at 14:27