Re: [CentOS] Selinux extra packages and compiled apps
From: Daniel J Walsh dwa...@redhat.com setools and setroubleshoot are not required to be run by SELinux. setroubleshoot-server is supposed to be able to be used on server machine and able to send email on errors that it sees. I installed setools-console since it was small. And, instead of setroubleshoot-server, will maybe write a small script to send emails when there are AVC messages... Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux extra packages and compiled apps
Russ herrold wrote: Quick question: do I really need to install the setools/setroubleshoot packages or can I live without them? They want to install 80 packages (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing all sort of graphical tools/libs on my lean servers. Can I just install setools-console by example? What does experiemntation with yum in a testing mode indicate with the packageset on your box - dependency trees have an effectively infinite number of permutations My question was more do I really need this package to work with selinux? I installed setools-console and so far it seems enough... So, can I skip setroubleshoot? If you know a must-have selinux for dummies like howto, apart from Redhat/Fedora doc or CentOS wiki What is wrong with the article at: http://wiki.centos.org/HowTos/SELinux Nothing wrong; I already read it, and will read the redhat doc... Just looking for all the doc I can find on the subject. And maybe also for the hidden secret magic button that will auto-write the hundreds custom policies we will need... Creating a custom policy for an apache to use a non standard rootdir or port seems indeed easy with audit2allow... But several of our servers are more or less 10% standard (rpm based) and 90% custom, with dozens of apps/scripts listening on dozens non standard ports, sockets, accessing many files here and there... So the task is a bit daunting. Thx, JD PS: Any one found/made a Zimbra policy module? ^_^ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux extra packages and compiled apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/02/2011 10:50 AM, John Doe wrote: Hey, I am in the process of trying (and convincing my colleagues) to learn/setup selinux as we switch to 6.0... Quick question: do I really need to install the setools/setroubleshoot packages or can I live without them? They want to install 80 packages (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing all sort of graphical tools/libs on my lean servers. Can I just install setools-console by example? Is there a console only equivalent for setroubleshoot? If you know a must-have selinux for dummies like howto, apart from Redhat/Fedora doc or CentOS wiki, I am interested!Especially if it covers the case of many non-standard applications (the policy here is to use compiled apaches/php/mencoder/ffmpeg/..., all installed (with their data/logs) in a /OURDIR directory (but still use /var/run for the pids and a few others depending on the app), init.d scripts, logrotates, etc... Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos setools and setroubleshoot are not required to be run by SELinux. setroubleshoot-server is supposed to be able to be used on server machine and able to send email on errors that it sees. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mKZ8ACgkQrlYvE4MpobNaogCgy0vbvm21zZr/sR2w2206oKOP dScAoMbCHjDHROJjOny1pfl+W7wsQnmk =MoKe -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Selinux extra packages and compiled apps
On Tue, 6 Sep 2011, John Doe wrote: Nothing wrong; I already read it, and will read the redhat doc... Just looking for all the doc I can find on the subject. And maybe also for the hidden secret magic button that will auto-write the hundreds custom policies we will need... Creating a custom policy for an apache to use a non standard rootdir or port seems indeed easy with audit2allow... But several of our servers are more or less 10% standard (rpm based) and 90% custom, with dozens of apps/scripts listening on dozens non standard ports, sockets, accessing many files here and there... So the task is a bit daunting. This illustrates a point I was making to Russ offlist...the only way I see to implement selinux in an 'enterprise' environment is to do it on a major version revision. And you will need buy in up to the 'C' level to beat back the murderous hordes of programmers and admins whose stuff will 'break'. Or you sign up to an endless treadmill of piecemeal selinux admin. (IMO selinux is great...) -- Jim Wildman, CISSP, RHCE j...@rossberry.com http://www.rossberry.net Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos