What is the equivelent "selinux-policy-targeted-sources" package in CentOS 5? It was available in 4.4. Thanks for any help.
On Wed, 2007-05-16 at 16:46 -0400, Jiann-Ming Su wrote:
What is the equivelent "selinux-policy-targeted-sources" package in CentOS 5? It was available in 4.4. Thanks for any help.
Most of the policy is added through policy modules in CentOS 5. The policy module sources are available through the selinux-policy SRPM, the interface files are also available through the selinux-policy-devel package. Though, you don't need the sources in CentOS 5 to build policies for new programs (you can write a module, and compile it using the Makefile provided in the selinux-policy-devel package).
-- Daniel
On Wed, 16 May 2007, Jiann-Ming Su wrote:
What is the equivelent "selinux-policy-targeted-sources" package in CentOS 5? It was available in 4.4. Thanks for any help.
Funny, I just asked myself that this morning.
Reading the RHEL 5 manual (Chapter 45. Customizing SELinux Policy), I came the conclusion that semanage, semodule, and audit2allow are the newly blessed toolset.
I needed to allow dhcpd to bind to a port (1820/1821 in my case) for failover, but that binding is verboten in the standard targeted policy. I took a look at the audit.log to see what entries were of interest (they all contained src=1820 or src=1821), and passed those entries to audit2allow, asking it to create a policy called "dhcpfailover." I looked at the resulting dhcpfailover.te file to make sure it looked something like I expected, and then used semodule to install and active the policy revision. I.e.,
grep src=182[01] /var/log/audit/audit.log | audit2allow -M dhcpfailover $PAGER dhcpfailover.te semodule -i dhcpfailover.pp
-
Daniel de Kok -
Jiann-Ming Su -
Paul Heinlein