[CentOS] SELinux C7 audit

Tue Jul 5 16:46:49 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 07/05/2016 08:21 AM, Alessandro Baggi wrote:
> What are the meaning of rules on pol.te

The CentOS howto has some information, and links to additional resources.

The policy should be pretty easy to read, though.  You have one rule, 
"allow bacula_t systemd_systemctl_exec_t:file execute."  Each word in 
that rule, except for "allow" is defined somewhere, and has to be 
loaded, so they are each individually loaded in the "require" block.

> and why bacula can't do transiction between context? 

The easiest way to write a policy is to apply labels and run an 
application in permissive mode.  Using the AVCs that are logged, a new 
policy can be generated.  The short answer is, you're doing something 
that the people who developed the SELinux policy didn't do while writing 
the policy.  If the thing that you're doing is standard or best 
practice, you might consider that a bug and file a report to have the 
policy extended.  However, I suspect that restarting services is not a 
standard practice, so the local policy that you've generated is the best