On 2014-02-06 12:13, S. Dale Morrey wrote:
A tool like SELinux really needs to be more intelligent. Adding a "study
what this process does" mode and allowing it to learn the norms of the
process would in my mind justify the hassle of going in and telling it
"yeah sorry daemonX was supposed to be able to do that particular thing" on
the rare occasion that a daemon does change behavior by design.
OK, speaking very specifically about CentOS (and Fedora), here's a
quick "coping with SELinux" primer:
# yum install policycoreutils-python
(do something that SELinux doesn't allow, actually can be done before
installing policycoreutils-python)
# audit2allow -M policy1 < /var/log/audit/audit.log
(following the instructions provided in audit2allow's output...)
# semodule -i policy1.pp
(now to flush the audit log out so your next invocation of audit2allow
won't try to combat what you've already permitted)
# mv /var/log/audit/audit.log <somewhereelse> && service auditd restart
(rinse/repeat with policy2, policy3, etc)
Mind you, you wouldn't want to do that blindly (you can and should
read policy1.te before loading policy1.pp), but that's how to make
SELinux play nice with arbitrary software. policycoreutils-python also
includes audit2why, which attempts to explain why SELinux blocked a
particular action from happening. The key thing when allowing things
through SELinux's watchful gaze is to make sure that it's blocking your
actions and not someone else's. ;-)
Jima
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
