I recently ran into an issue while writing an SELinux policy where the program was silently being denied write permissions to tmp_t:dir—nothing would show up in ausearch or the SELinux Troubleshooter. This led me down a long rabbit hole trying to reproduce the issue, which eventually narrowed it down to the missing write permission.
Obviously making this mistake is easy to avoid with macros, but I hadn’t learned about the files_manage_generic_tmp_files, manage_files_pattern, or rw_dir_perms macros (not a lot of good resources out there I could find, but Fedora SELinux policy repo and The SELinux Notebook came in handy). Regardless, does anyone know why SELinux doesn’t log anything for write on dir or if there’s a way to fix that? Solving totally silent SELinux issues is a pain.
And if it’s a bug, someone pointing me in the right direction for where to report that would also be appreciated.
Is this because it is the dir permissions that blocked write and not selinux?
If that is true then there is nothing for selinux to audit.
You could turn off selinux and run your test to confirm this.
That’s not the issue. /tmp is a sticky directory so the program does indeed work fine in permissive mode. It is being denied completely on the SELinux side. Adding allow myprogram_t tmp_t:dir write; (if you have all the other necessary permissions allowed already of course) makes it work perfectly fine, but without write being allowed in SELinux there is just no indication that it was ever denied—even with dontaudit rules disabled it would seem—which is what I’m worried about here.
I think I’m going to run a test on a VM on a different distro before emailing the SELinux mailing list because I don’t see what else it could be other than a bug in the SELinux kernel subsystem if the issue persists on another distro.