m.roth@5-cent.us wrote:
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the log file (/var/log/messages IIRC) and it gives me a command to execute to view more details. When I do that, I get a window that comes up
<snip>
Yeah, I can use audit2allow. The trouble is that I don't know the ramifications of just adding that policy on an ad hoc basis - it might open it up for a real attack.
Of course you should be cautious of opening up things you do not fully understand, but you're running in permissive mode meaning that you are already wide open from an SELinux perspective so adding a custom policy and putting SELinux back into enforcing mode isn't going to put you any more at risk other than maybe giving you some false sense of security.
Yes, but I have some systems that *do* have it enforcing, and some that are permissive are also production (as in, websites visible to the world), and I want to test my changes before I put them on the enforcing servers....
mark