[CentOS] selinux

m.roth at 5-cent.us m.roth at 5-cent.us
Thu Apr 22 19:54:59 UTC 2010


>> Does anyone know? Are we, with CentOS, that far behind with something
>> like this, which isn't even a port, but a policy?
>
> I dunno about CentOS but on Fedora I just look at the message in the
> log file (/var/log/messages IIRC) and it gives me a command to execute
> to view more details.   When I do that, I get a window that comes up
> with a whole bunch of info, including a command I can use to permit
> this behavior from now on.  Sometimes executing that command does not
> solve the issue, but usually there is a reasonably obvious way to
> tweak the command.  If I can do it, anyone can.  Because as far as
> selinux goes I know ZERO and am just fumbling around like a bull in a
> china shop.  But I've been able to get that cruft out of my logs and
> allow stuff to work (on my desktop here at work)

Yeah, I can use audit2allow. The trouble is that I don't know the
ramifications of just adding that policy on an ad hoc basis - it might
open it up for a real attack.

Plus, of course, selinux does *not* always tell you the truth... meaning,
its error handling is *not* correct. I've posted several times here, and
over in the selinux-fedora group, because we're stuck with CA's
SiteMinder, and selinux would stop it from writing to its own logfile
(apparently because the idiots at CA have the file opened for modify,
rather than append)... but if I run the sealert for that, it claims I only
need to set httpd_unified on, and that does NOT fix it.

          mark




More information about the CentOS mailing list