[CentOS] SELinux modification

Wed Apr 19 13:39:11 UTC 2006
James B. Byrne <ByrneJB at Harte-Lyne.ca>

In-Reply-To: : <44457936.4090207 at emmanuelcomputerconsulting.com>


On Tue, 18 Apr 2006 19:41:42 -0400,
William Warren <hescominsoon at emmanuelcomputerconsulting.com> wrote:

> I installed SeLinux in warn mode.  HOw do i check to see what it
> is wanring about?  This wil help me in make a decision to turn it
> to active mode..:)

Try this:

$ audit2allow --help
audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
        -d      read input from output of /bin/dmesg
        -v      verbose output
        -l      read input only after last "load_policy"
        -i      read input from <inputfile>
        -o      append output to <outputfile>

$ audit2allow -v -1 /var/log/messages

This will not only tell you what SELinux is complaining about, it will
give you the basic information needed to configure your local policy file
in:

/etc/selinux/targeted/src/policy/domains/misc/local.te

To implement policy changes, edit the local.te file as indicated by
audit2allow and rebuild your SELinux policy files with:

$ /etc/selinux/targeted/src/policy/make reload

Be advised however that audit2allow may suggest policy alterations that
are broader than strictly necessary.  It is probably worth your while to
post your contemplated policy changes here and get some informed opinions
about whether they actually should be more restrictive.

To do any of this you need to first install the selinux-policy-targeted rpm.

Regards,
Jim


-- 
***     e-mail is NOT a secure channel     ***
James B. Byrne                mailto:ByrneJB.<token>@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3CE               delivery <token> = hal