Is there any debug stream available that can tell me what is being processed by the SELinux system? Specifically, I'd like to be able to follow the trail from starting an executable, through its state transitions, what files it reads, and what their file contexts are, and what transitions happen as it calls external programs.
Thanks, -Tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Timothy Renner wrote:
Is there any debug stream available that can tell me what is being processed by the SELinux system? Specifically, I'd like to be able to follow the trail from starting an executable, through its state transitions, what files it reads, and what their file contexts are, and what transitions happen as it calls external programs.
Thanks, -Tim
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can probably setup the auditing subsystem to track this. Not that I would know how.
On Fri, Oct 24, 2008 at 03:38:15PM -0700, Timothy Renner wrote:
Is there any debug stream available that can tell me what is being processed by the SELinux system? Specifically, I'd like to be able to follow the trail from starting an executable, through its state transitions, what files it reads, and what their file contexts are, and what transitions happen as it calls external programs.
Most of this is visible in strace. Some post processing will fill in the gaps.
Try something like:
strace -f -o /tmp/trace-my-subshell sh bash id program exit exit
Look at the system calls for mmap, fstat, setcon, open, read, write, access, close, etc. to see what files it reads, attempts to read, writes, attempts to write, libraries and so on.
After building a list of files you can use 'stat' to learn what the context of each file is. $ stat -Z /etc/shadow $ stat -Z /etc/passwd
Most but not all interactions can just be seen with strace. If you are more interested in tracing SELinux itself some value may be found by running in permissive mode. Like tracing SUID/SGID processes Hawthorne and Heisenberg issues come to play. You will not be able to trace stuff beyond your level.
On Fri, 2008-10-24 at 15:38 -0700, Timothy Renner wrote:
Is there any debug stream available that can tell me what is being processed by the SELinux system? Specifically, I'd like to be able to follow the trail from starting an executable, through its state transitions, what files it reads, and what their file contexts are, and what transitions happen as it calls external programs.
Options: - Use system call auditing (see man pages for autrace, auditctl, auditd; ask questions on linux-audit@redhat.com). or - Add auditallow rules to the domain for the program in order to trigger auditing of permission grantings.
And of course, denials are already audited by SELinux by default.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Nifty Fedora Mitch -
Stephen Smalley -
Timothy Renner