Hello Ritesh,
The messages are not particularly useful, until the files have been
given proper labels and such basic stuff.
> type=AVC msg=audit(1202138504.205:41): avc: denied { read } for pid=9413
> comm="leafnode" name="news" dev=dm-2 ino=4199432
> scontext=system_u:system_r:tcpd_t:s0
> tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Notice the source context, tcpd_t.
You don't want leafnode to run as "tcp wrapper". You want it to have
it's own domain. Which applications get which domains, and which
executables trigger a domain change cannot be automatically guessed by
audit2why. Audit2why is only useful once the other stuff is in place.
And assigning appropriate domains to files etc. requires *previous
knowledge* of the application, and I don't use leafnode.
I can guess you'll probably want /var/spool/news (or whatever it's
using!) to have a context like news_spool_t or so (have a look at the
INN policy, what it is using!), and you might want to make the leafnode
binary an entry point into the leafnode_t domain, at least when executed
by tcpd_t.
But there is no way I'm ever going to produce you a somewhat useful
policy just by that couple of log messages. As stated above, you need to
know the application to be able to tell what types of files it uses that
might require similar or different access policy and so on. This can
only done by users of that particular application.
(Apart from myself not using SELinux these days, since I'm way too busy
with other stuff such as writing my thesis. I'm no longer responsible
for the servers I used SELinux on earlier.)
Have a look at the SELinux documentation. Especially on some tutorials
posted in RJCs blog and in my blog. They're not particularly hard to
find.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
A man doesn't know what he knows until he knows what he doesn't know. //\
Ohne Tränen hat die Seele keinen Regenbogen. V_/_
