| 1 |
Hi Chris and all, |
| 2 |
|
| 3 |
Okay, if I correctly understand noatsecure, I should be able to decode the |
| 4 |
following AVC log message: |
| 5 |
|
| 6 |
Feb 1 16:55:03 office kernel: avc: denied { noatsecure } for pid=14026 |
| 7 |
exe=/usr/local/sbin/samhain scontext=system_u:system_r:initrc_t |
| 8 |
tcontext=system_u:system_r:samhain_t tclass=process |
| 9 |
|
| 10 |
The message seems to be saying that a process in the initrc_t domain was |
| 11 |
transitioning to the samhain_t domain. This has probably occurred as |
| 12 |
Run_init is launching Samhain. Apparently, Run_init runs in Glibc secure |
| 13 |
mode whereas Samhain does not. |
| 14 |
|
| 15 |
What now puzzles me is that this message wasn't associated with a Samhain |
| 16 |
failure. It seems that the action wasn't really "denied" despite the |
| 17 |
message. After all, the dontaudits that appear in policy.conf would merely |
| 18 |
suppress the message; they wouldn't authorize the action. And, in this |
| 19 |
particular case, I've not found it necessary to code a rule such as: |
| 20 |
|
| 21 |
allow initrc_t samhain_t:process {noatsecure}; |
| 22 |
|
| 23 |
Apparently, "denied" sometimes means "notice." Am I getting close? |
| 24 |
|
| 25 |
Cheers, |
| 26 |
|
| 27 |
--------------------------------------------------- |
| 28 |
Bill McCarty |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-hardened@g.o mailing list |
Archives