Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important information.
On Wed, Apr 21, 2010 at 01:36:13AM -0500, Robert Nichols wrote:
Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important
/var/log/messages displays when policy is loaded. It does not display why (e.g. maybe because a particular module was disabled or removed)
It may or may not be a good idea to mention that somewhere though.
information.
-- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 04/21/2010 04:24 AM, Dominick Grift wrote:
On Wed, Apr 21, 2010 at 01:36:13AM -0500, Robert Nichols wrote:
Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important
/var/log/messages displays when policy is loaded. It does not display why (e.g. maybe because a particular module was disabled or removed)
It may or may not be a good idea to mention that somewhere though.
When I've been installing and removing local modules trying to fix a problem, it would be extremely useful to be able to tell what modules were in place at the time a particular AVC was logged. Without that information it is sometimes hard to tell what, if anything, got fixed by what module.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/21/2010 10:41 AM, Robert Nichols wrote:
On 04/21/2010 04:24 AM, Dominick Grift wrote:
On Wed, Apr 21, 2010 at 01:36:13AM -0500, Robert Nichols wrote:
Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important
/var/log/messages displays when policy is loaded. It does not display why (e.g. maybe because a particular module was disabled or removed)
It may or may not be a good idea to mention that somewhere though.
When I've been installing and removing local modules trying to fix a problem, it would be extremely useful to be able to tell what modules were in place at the time a particular AVC was logged. Without that information it is sometimes hard to tell what, if anything, got fixed by what module.
So you want the Module name and version recorded in syslog?
Everytime selinux-policy gets installed there would be 220 modules installed, giving you 220 log lines. If you installed multiple selinux policies (mls, minimum, targeted) Each one would put a hell of a lot of lines in the log file.)
On 04/21/2010 09:46 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/21/2010 10:41 AM, Robert Nichols wrote:
On 04/21/2010 04:24 AM, Dominick Grift wrote:
On Wed, Apr 21, 2010 at 01:36:13AM -0500, Robert Nichols wrote:
Does the loading and removing of modules by semodule get logged anywhere? Apparently not. That would seem to be pretty important
/var/log/messages displays when policy is loaded. It does not display why (e.g. maybe because a particular module was disabled or removed)
It may or may not be a good idea to mention that somewhere though.
When I've been installing and removing local modules trying to fix a problem, it would be extremely useful to be able to tell what modules were in place at the time a particular AVC was logged. Without that information it is sometimes hard to tell what, if anything, got fixed by what module.
So you want the Module name and version recorded in syslog?
Everytime selinux-policy gets installed there would be 220 modules installed, giving you 220 log lines. If you installed multiple selinux policies (mls, minimum, targeted) Each one would put a hell of a lot of lines in the log file.)
No, but when I run commands that insert or remove modules into/from the policy, I would like _that_ to be recorded, unless of course you can tell me some other way of finding out what version of rootprocmail1.pp was active at 3:48 PM yesterday.
selinux@lists.fedoraproject.org