This whole thread has been great. I have learned a lot. Thank you. On Thursday, February 06, 2014 17:23:08 Jima wrote: > On 2014-02-06 12:13, S. Dale Morrey wrote: > > A tool like SELinux really needs to be more intelligent. Adding a "study > > what this process does" mode and allowing it to learn the norms of the > > process would in my mind justify the hassle of going in and telling it > > "yeah sorry daemonX was supposed to be able to do that particular thing" > > on > > the rare occasion that a daemon does change behavior by design. > > OK, speaking very specifically about CentOS (and Fedora), here's a > quick "coping with SELinux" primer: > > # yum install policycoreutils-python > (do something that SELinux doesn't allow, actually can be done before > installing policycoreutils-python) > # audit2allow -M policy1 < /var/log/audit/audit.log > (following the instructions provided in audit2allow's output...) > # semodule -i policy1.pp > (now to flush the audit log out so your next invocation of audit2allow > won't try to combat what you've already permitted) > # mv /var/log/audit/audit.log <somewhereelse> && service auditd restart > (rinse/repeat with policy2, policy3, etc) > > Mind you, you wouldn't want to do that blindly (you can and should > read policy1.te before loading policy1.pp), but that's how to make > SELinux play nice with arbitrary software. policycoreutils-python also > includes audit2why, which attempts to explain why SELinux blocked a > particular action from happening. The key thing when allowing things > through SELinux's watchful gaze is to make sure that it's blocking your > actions and not someone else's. ;-) > > Jima
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
