[CentOS-docs] SELinux

Tue Aug 12 19:09:58 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Manuel Wolfshant wrote:
> On 08/12/2008 07:12 PM, Ned Slider wrote:
>> Manuel Wolfshant wrote:
>>> Ned Slider wrote:
>>>> Hi list,
>>>>
>>>> I've knocked up a contribution on SELinux here:
>>>>
>>>> http://wiki.centos.org/HowTos/SELinux
>>>>
>>>> I've tried to pitch it as an introduction for those not already 
>>>> familiar with SELinux but also hopefully a useful reference.
>>>>
>>>> I'm relatively new to SELinux and have covered pretty much 
>>>> everything I know to the limits of my limited knowledge. If folks 
>>>> think other material needs to be covered then it may be more 
>>>> appropriate for them to make the additions rather than me. Consider 
>>>> it a "get the ball rolling" contribution that the community can add 
>>>> to as necessary :)
>>>>
>>>> Comments welcomed,
>>> I would add the following just before "Sumamry" (in case one wants to 
>>> edit the rules suggested by audit2allow):
>>>
>>>    Building module policy manually
>>>
>>>
>>> - grep sendmail /var/log/audit/audit.log | audit2allow -M postfix
>>> - while reviewing the generated postfix.te
>>>
>>>    module local 1.0;
>>>
>>>    require {
>>>            type httpd_log_t;
>>>            type postfix_postdrop_t;
>>>            class dir getattr;
>>>            class file { read getattr };
>>>    }
>>>
>>>    #============= postfix_postdrop_t ==============
>>>    allow postfix_postdrop_t httpd_log_t:file getattr;
>>>
>>>
>>
>> Wolfy,
>>
>> Are you able to supply an example of the audit.log AVC message(s) that 
>> are used to create this .te policy? It might be useful to show the 
>> actual AVC error messages in explaining this process.
>>
>> Thanks,
> here you are. I hope I have not trashed anything valuable but most of 
> the info must be here
> 

Thanks.

One wonders why postdrop is interested in /var/log/httpd/error_log?

> 
> 
> PS, for those who might be tempted to comment about the kernel version: 
> I already know what you want to say.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> http://lists.centos.org/mailman/listinfo/centos-docs