On Mon, 2007-06-25 at 09:16 -0400, Jim Perrin wrote:
Rebuilding the code won't solve the problem. You'll have to modify the selinux rules so that these actions are allowed. For Centos5 and rhel5 this is pretty easy.
- Enable selinux in permissive mode, and capture the selinux error
messages. They'll likely be in /var/log/audit/audit.log or /var/log/messages 2. Run audit2allow -i selinux.log -M localpolicy 3. Next you load the module you just created with 'semodule -i localpolicy.pp'
Lather, rinse, repeat.
Actually, I don't think this is a very good idea (I know it is suggested in upstream documentation). For instance, suppose that clamav is tagged as, say 'bin_t', and executing clamav was rejected. The above will usually add a allow rule for executing bin_t binaries for the context of the caller. This obviously punches a big hole in a policy if it does not allow such thing.
Make your own policy modules for local policy (you could create a start with command (2)), but add and check rules and contexts manually. audit2allow is a nice tool to see what was denied, but its output should not be copied verbatim.
-- Daniel