I'm trying to configure a set of lockdown rules. My approach is to start with a restricted user, and use audit2allow messages to selective add permissions. My problem is that I don't see the expected denial messages in /var/log/audit/audit.log.
For my test, I'm logged in to the box via SSH as a restricted user. I try to cat /etc/init.d/sshd. With SELinux enforcing, I see a "permission denied" error in the shell. With SELinux in permissive mode, I can run cat without an issue. But in either case, I don't see denial messages in the log.
Update: I do see denied messages when trying to mount a partition, but still not for cat.
Best Answer
Looks like the default selinux policy has some don't audit rules, which were catching this case. Once I disabled don't audit, I see the expected behavior.