1 |
Hi Chris and all, |
2 |
|
3 |
Okay, if I correctly understand noatsecure, I should be able to decode the |
4 |
following AVC log message: |
5 |
|
6 |
Feb 1 16:55:03 office kernel: avc: denied { noatsecure } for pid=14026 |
7 |
exe=/usr/local/sbin/samhain scontext=system_u:system_r:initrc_t |
8 |
tcontext=system_u:system_r:samhain_t tclass=process |
9 |
|
10 |
The message seems to be saying that a process in the initrc_t domain was |
11 |
transitioning to the samhain_t domain. This has probably occurred as |
12 |
Run_init is launching Samhain. Apparently, Run_init runs in Glibc secure |
13 |
mode whereas Samhain does not. |
14 |
|
15 |
What now puzzles me is that this message wasn't associated with a Samhain |
16 |
failure. It seems that the action wasn't really "denied" despite the |
17 |
message. After all, the dontaudits that appear in policy.conf would merely |
18 |
suppress the message; they wouldn't authorize the action. And, in this |
19 |
particular case, I've not found it necessary to code a rule such as: |
20 |
|
21 |
allow initrc_t samhain_t:process {noatsecure}; |
22 |
|
23 |
Apparently, "denied" sometimes means "notice." Am I getting close? |
24 |
|
25 |
Cheers, |
26 |
|
27 |
--------------------------------------------------- |
28 |
Bill McCarty |
29 |
|
30 |
-- |
31 |
gentoo-hardened@g.o mailing list |