selinux
can SELinux be configured to log any action that
it blocks? I would think this would make finding what software has
gone beyond what expectations pretty obvious.
-Brett.
Yes, by default on Redhat/SL selinux makes an audit entry in /var/log/messages when in either active or permissive mode for every blocked event (or every permitted event that would have been blocked but for being in permissive mode).
The two options that I'm aware of when selinux is getting in the way of something (assuming you don't want to disable it or put it in permissive mode) are
1. Change the security context of the file that is being blocked (verify it by inode number!). Use the chcon command or in some cases restorecon (the -n option is your friend with restorecon to see what it would do). Change the context to whatever it says in the “scontext” field of the audit message. Oddly enough, I often get selinux denial messages when using the chcon command, even though the command succeeded. (You can verify it worked with “ls -lZ” to see the selinux context of the file.)
2. Alter the local security policy to allow the attempted action. To do this you can let the tools do some of the work: 2a. Put the contents of the denial message (from /var/log/messages) into a separate file (/tmp/audit_denial for instance) 2b. Use audit2allow to parse the logged denial message and put the appropriate string into /etc/selinux/targeted/src/policy/domains/misc/local.te . To do this the first time, I had to install the selinux-policy-targeted-sources RPM. (for instance:
cd /etc/selinux/targeted/src/policy
audit2allow -i /tmp/audit_denial -l domains/misc/local.te
make load
)
This is from memory, so I might have left something out. …. -Wayne Betts
Alternative:
…disable SEL and use grsecurity (www.grsecurity.net) which is a kernel patch that requires no supporting utilities other than the gradm control utility. It includes the PaX patches.
Have a look at: http://fedoraproject.org/wiki/SELinux/Troubleshooting