danwalsh (danwalsh) wrote,

New Features in Fedora 8 - disable dontaudit rules

One of the features of SELinux is the ability to dontaudit certain access checks by a confined application.   dontaudit rules are handy to force applications to take different code paths. 

For example, the pam_unix module attempts to read /etc/shadow directly when verifying your password.  So every application that prompts you for a password and uses pam will try to read the /etc/shadow file.   Reading the /etc/shadow file is not secure.  A compromised application that can read /etc/shadow can run password crackers against it.    But pam was designed to recognize that some applications (non-root) can not read /etc/shadow.  Pam provides a setuid application called /sbin/unix_chkpwd.  The pam libraries execute this helper application whenever they can not read the /etc/shadow. 

In SELinux we prevent almost every application from reading the /etc/shadow file directly, causing pam to use it's help application.  But this would cause a ton of AVC messages that look like sshd, login or apache are trying to read /etc/shadow.  So we dontaudit these messages.

Sometimes applications have bugs that cause AVC messages to be generated.  A common  cause of this is leaked file descriptors.  So rather then fill your log files with AVC messages while we wait for these buggy applications to be fixed, we add dontaudit rules.

Sometimes policy writers have been a little to liberal with the dontaudit rules.  The policy writer writes a dontaudit rule which covers up a access denial that is causing an application to break.  The administrator is left with little information on why his application is breaking. 

We have built  a couple of different ways to turn off the dontaudit rules.  In Red Hat Enterprise Linux 4 you need to install selinux-policy-sources and go into the src directory and execute make enableaudit; make reload.

In Red Hat Enterprise Linux 5/Fedora Core 6 and Fedora 7, we have shipped a secondary base policy package called /usr/share/selinux/targeted/enableaudit.pp.  You can install this package using the following command:

# semodule -b /usr/share/selinux/targeted/enableaudit.pp

To restore the defaults you would execute:

# semodule -b /usr/share/selinux/targeted/base.pp

There is a problem with this in that it only turns off the dontaudit rules for domains that are in the base policy.  So any dontaudit rules in policy modules are not removed.

This is fixed in Fedora 8 (Rawhide).  You can now temporarily disable dontaudit rules by executing:

# semodule -DB

You can re-enable them using

#semodule -B

semodule -DB, recompiles the policy without the dontaudit rules and reloads it.  This will then be in effect until the next time the policy is rebuild (setsepool -P, semodule -i, semodule -B all rebuild policy).  It will survive a reboot.

This is just for debugging potential SELinux problrms.  Disabling dontaudit rules will cause a lot more avc messages to show up and setroubleshoot will go nuts, until it sees a message about itself and commits suicide.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

← Ctrl ← Alt
Ctrl → Alt →
← Ctrl ← Alt
Ctrl → Alt →