You do something, and it won’t work. In this example it’s Tomcat trying to delete a file. You already wrote an SELinux module to allow reads, but now you need to delete as well. So then you resort to the audit logs again. But there’s nothing in there. Then you put the tomcat_t
domain under permissive mode with:
semanage permissive -a tomcat_t
Even verify it with:
semanage permissive -l
It’s there. And then deletes start to work. But you get no friggin’ denies in the audit log. WTF. Then you realize that silent denies are a thing. So you disable dontaudit rules, too:
semodule -DB
Nope, nothing, nada. So then you remove the explicit tomcat_t
rule:
semanage permissive -d tomcat_t
Set SELinux altogether to permissive via /etc/selinux/config
, and reboot. Tomcat can still delete. But this time you actually get the errors when checking with aureport -a
(thanks, kslawko!) :
175. 11/08/2017 14:37:18 java system_u:system_r:tomcat_t:s0 87 dir remove_name system_u:object_r:cifs_t:s0 denied 191
176. 11/08/2017 14:37:18 java system_u:system_r:tomcat_t:s0 87 file unlink system_u:object_r:cifs_t:s0 denied 191
Wonderful. SELinux is bugged. When you get no denies, just switch the whole system to permissive. Noted.