* execve silently blocked
@ 2019-10-02 19:25 Ian Pilcher
2019-10-02 19:41 ` Dominick Grift
0 siblings, 1 reply; 3+ messages in thread
From: Ian Pilcher @ 2019-10-02 19:25 UTC (permalink / raw)
To: selinux
I am writing an SELinux policy for a daemon that needs to exec an
external program. The execve call is being denied (permission denied),
but no denial is being logged, even after disabling dontaudit rules
(semodule -DB).
(The execve call does succeed in permissive mode.)
How can I troubleshoot this?
Thanks!
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: execve silently blocked
2019-10-02 19:25 execve silently blocked Ian Pilcher
@ 2019-10-02 19:41 ` Dominick Grift
2019-10-02 20:08 ` Ian Pilcher
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2019-10-02 19:41 UTC (permalink / raw)
To: Ian Pilcher; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]
On Wed, Oct 02, 2019 at 02:25:22PM -0500, Ian Pilcher wrote:
> I am writing an SELinux policy for a daemon that needs to exec an
> external program. The execve call is being denied (permission denied),
> but no denial is being logged, even after disabling dontaudit rules
> (semodule -DB).
Are you also looking for "selinux_err" records?
`ausearch -m avc,user_avc,selinux_err -i`
will return avc, user_avc and selinux_err records if auditd is running.
>
> (The execve call does succeed in permissive mode.)
>
> How can I troubleshoot this?
>
> Thanks!
>
> --
> ========================================================================
> Ian Pilcher arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: execve silently blocked
2019-10-02 19:41 ` Dominick Grift
@ 2019-10-02 20:08 ` Ian Pilcher
0 siblings, 0 replies; 3+ messages in thread
From: Ian Pilcher @ 2019-10-02 20:08 UTC (permalink / raw)
To: selinux
On 10/2/19 2:41 PM, Dominick Grift wrote:
> Are you also looking for "selinux_err" records?
Nope, because I had never heard of them before. :-)
That found the error:
type=SELINUX_ERR msg=audit(1570044939.773:845):
op=security_compute_sid
invalid_context=system_u:system_r:denatc_sudo_t:s0
scontext=system_u:system_r:denatc_t:s0
tcontext=system_u:object_r:sudo_exec_t:s0 tclass=process
It seems that I was missing a role-type statement:
role system_r types denatc_sudo_t;
Adding that gets me back to more conventional denials, which I know how
to deal with.
Thanks!
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-02 20:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 19:25 execve silently blocked Ian Pilcher
2019-10-02 19:41 ` Dominick Grift
2019-10-02 20:08 ` Ian Pilcher
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).