8.3.2. Possible Causes of Silent Denials

In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using dontaudit rules. These rules are common in standard policy. The downside of dontaudit is that, although SELinux denies access, denial messages are not logged, making troubleshooting more difficult.

To temporarily disable dontaudit rules, allowing all denials to be logged, run the following command as the Linux root user:

semodule -DB

~]# semodule -DB

The -D option disables dontaudit rules; the -B option rebuilds policy. After running semodule -DB, try exercising the application that was encountering permission problems, and see if SELinux denials — relevant to the application — are now being logged. Take care in deciding which denials should be allowed, as some should be ignored and handled via dontaudit rules. If in doubt, or in search of guidance, contact other SELinux users and developers on an SELinux list, such as fedora-selinux-list.

To rebuild policy and enable dontaudit rules, run the following command as the Linux root user:

semodule -B

~]# semodule -B

This restores the policy to its original state. For a full list of dontaudit rules, run the sesearch --dontaudit command. Narrow down searches using the -s domain option and the grep command. For example:

sesearch --dontaudit -s smbd_t | grep squid

~]$ sesearch --dontaudit -s smbd_t | grep squid
dontaudit smbd_t squid_port_t : tcp_socket name_bind ;
dontaudit smbd_t squid_port_t : udp_socket name_bind ;

Refer to Section 8.3.6, “Raw Audit Messages” and Section 8.3.7, “sealert Messages” for information about analyzing denials.