On Saturday, January 07, 2012 11:15:35 AM Bennett Haselton wrote:
> Hence the idea for having SELinux send messages to the terminal saying
> "SELinux blocked such-and-such". There's probably some better way.
Huh?
CentOS has done this by default since CentOS 4. At least I see SELinux-generated 'denied' AVC's on a couple of internal C4 machines where I'm running SELinux in permissive mode and I see the denials on a text console. All my CentOS 5 boxes have SELinux on and enforcing, but I haven't seen any avc denials in the logs or on the console, nor have I done anything 'wierd' on those boxes....
The graphical GNOME installation pops up a tooltip-style balloon when SELinux denials are found, at least with CentOS 6. Haven't tried with C5.
Now, nowhere in the logged message does it say 'SELinux' but a google for the text found in such an avc denial log entry brings up what you need to know. Here's an example:
audit(1325941406.515:467): avc: denied { write } for pid=6609 comm="postmaster" name="1262" dev=dm-0 ino=2016007 scontext=root:system_r:postgresql_t tcontext=user_u:object_r:var_t tclass=file
(I know how to fix it, I just haven't). This by default comes to the /dev/console device along with being logged in dmesg and elsewhere.