action #120070
closed
Upload and check the content of audit.log
Added by mloviska about 2 years ago.
Updated about 2 years ago.
Description
Expand journal_check.pm
to handle audit.log content. Currently, SELinux runs in permissive mode, meaning it logs denials but does not act upon them.
Search for AVC denials in /var/log/audit/audit.log
.
Thanks for opening this ticket. Let me add some details I discussed with various people:
- Goal is to get AVC denials for arbitrary tests, not for a single test.
- Having a mapping between AVC and test would be necessary. Doesn't need to be super granular, but at least to know which high level test triggered which AVC
This is the requirement for now. Later on we might want to have a baseline defined for each test and fail upon new AVCs, but that is just something that you might want to consider when planning the original solution. That's not necessary for now
- Status changed from In Progress to Feedback
- Status changed from Feedback to Resolved
Also available in: Atom
PDF