• 1
If the service denied access to a resource due to SELinux policy, does it know that it is security module preventing it's access? No. But if anyone would add an additional code to the kernel so that applications will get to know that they are denied to access the resource because the security module is preventing it, then error messages of the applications might become more human-readable. What do you think about this idea, Dan?

Well the problem with that is all the kernel is returning is EPERM

Which lots of programs no how to handle. Introducing a new ERRNO would be problematic and would probably caused lots of apps to blow up. Also there are potentially other LSM apps and other ways to get EPERM then just DAC. So I think it is a non starter. We are reporting errors in /var/log/messages if you have setroubleshoot-server installed, and all SELinux error messages show up in /var/log/audit/audit.log

  • 1
?

Log in