-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Walton wrote: > In the latest issue of SysAdmin, there's an excellent article on > SELinux and audit2allow. You can have SELinux disallow everything not
Yes, I use audit2allow when I run into a problem. However it is still rather complicated to know exactly where in the policy to add your changes so they will take effect. I still screw it up half the time. Another thing that bugs me is that applications are not aware of SE Linux. So they will sometimes behave strangely in ways that are not obviously security related so you might not think that SE Linux is denying something which causes a problem. You have to think to look in the log file or dmesg to know if SE Linux is denying something. I once had an employee create a cgi in the cgi-bin dir of Apache. It would refuse to output anything when you ran it. But if we copied the cgi to the users homedir it would run just fine. Took quite a while to realize that the cgi-bin directory is labelled with a special context and will not allow many things to happen to protect the system from exploits in cgi's. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFC5m/M9PIYKZYVAq0RApYeAJsHI+tV1K+ynNRBGO/iwtUAFTDQywCfegxY Taso9j5Reyb4Ubhq+SQVraE= =tPLr -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
