Ned Slider wrote: > Hi list, > > I've knocked up a contribution on SELinux here: > > http://wiki.centos.org/HowTos/SELinux > > I've tried to pitch it as an introduction for those not already > familiar with SELinux but also hopefully a useful reference. > > I'm relatively new to SELinux and have covered pretty much everything > I know to the limits of my limited knowledge. If folks think other > material needs to be covered then it may be more appropriate for them > to make the additions rather than me. Consider it a "get the ball > rolling" contribution that the community can add to as necessary :) > > Comments welcomed, I would add the following just before "Sumamry" (in case one wants to edit the rules suggested by audit2allow): Building module policy manually - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix - while reviewing the generated postfix.te module local 1.0; require { type httpd_log_t; type postfix_postdrop_t; class dir getattr; class file { read getattr }; } #============= postfix_postdrop_t ============== allow postfix_postdrop_t httpd_log_t:file getattr; we decide that we do not want either to *relabel* the files or to *allow* the action, but it is safe to *ignore* the warnings. Therefore we edit the action rule, like below: dontaudit postfix_postdrop_t httpd_log_t:file getattr; We now need to compile and load the policy: $ checkmodule -M -m -o postfix.mod postfix.te $ semodule_package -o local.pp -m postfix.mod $ semodule -i postfix.pp -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080811/b97861d7/attachment-0002.html>