I'm trying to configure a set of lockdown rules. My approach is to start with a restricted user, and use audit2allow
messages to selective add permissions. My problem is that I don't see the expected denial messages in /var/log/audit/audit.log
.
For my test, I'm logged in to the box via SSH as a restricted user. I try to cat /etc/init.d/sshd
. With SELinux enforcing, I see a "permission denied" error in the shell. With SELinux in permissive mode, I can run cat without an issue. But in either case, I don't see denial messages in the log.
Update: I do see denied messages when trying to mount
a partition, but still not for cat
.
Best Answer
Looks like the default selinux policy has some don't audit rules, which were catching this case. Once I disabled don't audit, I see the expected behavior.