Ned Slider wrote:
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already
familiar with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much everything
I know to the limits of my limited knowledge. If folks think other
material needs to be covered then it may be more appropriate for them
to make the additions rather than me. Consider it a get the ball
rolling contribution that the community can add to as necessary :)
Comments welcomed,
I would add the following just before Sumamry (in case one wants to
edit the rules suggested by audit2allow):
Building module policy manually
- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te
module local 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
#= postfix_postdrop_t ==
allow postfix_postdrop_t httpd_log_t:file getattr;
we decide that we do not want either to *relabel* the files or to
*allow* the action, but it is safe to *ignore* the warnings. Therefore
we edit the action rule, like below:
dontaudit postfix_postdrop_t httpd_log_t:file getattr;
We now need to compile and load the policy:
$ checkmodule -M -m -o postfix.mod postfix.te
$ semodule_package -o local.pp -m postfix.mod
$ semodule -i postfix.pp
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
