Where does Fedora 16 log boot-time SELinux denial messages? Under Fedora 14 and previous (for sure) and under Fedora 15 (I think), messages were logged via syslog and appeared in /var/log/messages until auditd started. However, this is apparently not happening with Fedora 16 -- how can I get these denial messages?
Details:
I have a Fedora 16 server install (no X Windows and with network.service replacing NetworkManager.service, but otherwise nearly an out-of-the-box installation), and everything works OK until I do "setsebool -P secure_mode_insmod=on" and reboot. At that point -- not unexpectedly -- a number of kernel modules fail to load. For example, from /var/log/messages:
Nov 26 03:35:32 f16dev1 nfs-lock.preconfig[897]: FATAL: Error inserting lockd (/lib/modules/3.1.2-1.fc16.x86_64/kernel/fs/lockd/lockd.ko): Operation not permitted
Network interfaces such as eth0 also fail to come up. However, there are no SELinux denial messages logged to /var/log/messages, to any other file in /var/log, or to /var/log/audit/audit.log.
Setting secure_mode_insmod=off and rebooting results in the system coming back up with all services started and no error messages. So I'm sure there should be some SELinux denials when I boot with secure_mode_insmod=off that I'm not seeing.
I've searched the web and read the auditd and systemd man and web pages without finding a solution. Any idea how to get the SELinux denial messages that get generated before auditd is started?
-- Mark Montague mark@catseye.org
On November 25, 2011 23:24 , Mark Montague mark@catseye.org wrote:
Where does Fedora 16 log boot-time SELinux denial messages? Under Fedora 14 and previous (for sure) and under Fedora 15 (I think), messages were logged via syslog and appeared in /var/log/messages until auditd started. However, this is apparently not happening with Fedora 16 -- how can I get these denial messages?
I found the answer: the messages were not being generated due to dontaudit rules. For some reason, I had thought that the denial messages I was expecting were generated under previous versions of Fedora, and so I did not consider dontaudit rules right away.
Following the advice in Dan's article ( http://danwalsh.livejournal.com/11673.html ) to run "semodule -DB" caused the desired denial messages to be logged.
-- Mark Montague mark@catseye.org
selinux@lists.fedoraproject.org