8.3.2. Possible Causes of Silent Denials
In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using
dontaudit
rules. These rules are common in standard policy. The downside of dontaudit
is that, although SELinux denies access, denial messages are not logged, making troubleshooting more difficult.
To temporarily disable
dontaudit
rules, allowing all denials to be logged, run the following command as the Linux root user:
~]# semodule -DB
The
-D
option disables dontaudit
rules; the -B
option rebuilds policy. After running semodule -DB
, try exercising the application that was encountering permission problems, and see if SELinux denials — relevant to the application — are now being logged. Take care in deciding which denials should be allowed, as some should be ignored and handled via dontaudit
rules. If in doubt, or in search of guidance, contact other SELinux users and developers on an SELinux list, such as fedora-selinux-list.
To rebuild policy and enable
dontaudit
rules, run the following command as the Linux root user:
~]# semodule -B
This restores the policy to its original state. For a full list of
dontaudit
rules, run the sesearch --dontaudit
command. Narrow down searches using the -s domain
option and the grep
command. For example:
~]$ sesearch --dontaudit -s smbd_t | grep squid
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;
Refer to Section 8.3.6, “Raw Audit Messages” and Section 8.3.7, “sealert Messages” for information about analyzing denials.