[CentOS-docs] SELinux

Mon Aug 11 08:14:58 UTC 2008
Manuel Wolfshant <wolfy at nobugconsulting.ro>

Ned Slider wrote:
> Hi list,
> I've knocked up a contribution on SELinux here:
> http://wiki.centos.org/HowTos/SELinux
> I've tried to pitch it as an introduction for those not already 
> familiar with SELinux but also hopefully a useful reference.
> I'm relatively new to SELinux and have covered pretty much everything 
> I know to the limits of my limited knowledge. If folks think other 
> material needs to be covered then it may be more appropriate for them 
> to make the additions rather than me. Consider it a "get the ball 
> rolling" contribution that the community can add to as necessary :)
> Comments welcomed,
I would add the following just before "Sumamry" (in case one wants to 
edit the rules suggested by audit2allow):

    Building module policy manually

- grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
- while reviewing the generated postfix.te

    module local 1.0;

    require {
            type httpd_log_t;
            type postfix_postdrop_t;
            class dir getattr;
            class file { read getattr };

    #============= postfix_postdrop_t ==============
    allow postfix_postdrop_t httpd_log_t:file getattr;

we decide that we do not want either to *relabel* the files or to 
*allow* the action, but it is safe to *ignore* the warnings. Therefore 
we edit the action rule, like below:

    dontaudit postfix_postdrop_t httpd_log_t:file getattr;

We now need to compile and load the policy:

    $ checkmodule -M -m -o postfix.mod postfix.te
    $ semodule_package -o local.pp -m postfix.mod
    $ semodule -i postfix.pp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080811/b97861d7/attachment-0002.html>