Logging positive policy decisions
On some occasions, the system performs actions that the administrator might not expect, but which are allowed by the SELinux policy, making it harder to debug potential problems. An application might be SELinux-aware, causing its own behavior to depend on the SELinux policy, without actually using the SELinux subsystem to enforce access. The SELinux policy might also be configured to behave differently than expected.
In such situations, it might be important to have SELinux log activities that were actually allowed rather than denied; for instance, logging domain transitions to make sure that a transition has indeed occurred.
How to do it…
In order to have domain transitions logged, create an SELinux policy by performing the following steps:
Identify the source and target domains to look out for.
Create an SELinux policy that calls the
auditallow
statement on the access vector we want to log:auditallow initrc_t postgresql_t:process transition;
Build and load the...