[CentOS] selinux

Thu Apr 22 20:06:43 UTC 2010
Ned Slider <ned at unixmail.co.uk>

m.roth at 5-cent.us wrote:
>>> Does anyone know? Are we, with CentOS, that far behind with something
>>> like this, which isn't even a port, but a policy?
>> I dunno about CentOS but on Fedora I just look at the message in the
>> log file (/var/log/messages IIRC) and it gives me a command to execute
>> to view more details.   When I do that, I get a window that comes up
>> with a whole bunch of info, including a command I can use to permit
>> this behavior from now on.  Sometimes executing that command does not
>> solve the issue, but usually there is a reasonably obvious way to
>> tweak the command.  If I can do it, anyone can.  Because as far as
>> selinux goes I know ZERO and am just fumbling around like a bull in a
>> china shop.  But I've been able to get that cruft out of my logs and
>> allow stuff to work (on my desktop here at work)
> 
> Yeah, I can use audit2allow. The trouble is that I don't know the
> ramifications of just adding that policy on an ad hoc basis - it might
> open it up for a real attack.
> 

Of course you should be cautious of opening up things you do not fully 
understand, but you're running in permissive mode meaning that you are 
already wide open from an SELinux perspective so adding a custom policy 
and putting SELinux back into enforcing mode isn't going to put you any 
more at risk other than maybe giving you some false sense of security.