[CentOS] SELinux C7 audit

Wed Jul 6 07:03:41 UTC 2016
Alessandro Baggi <alessandro.baggi at gmail.com>

Il 05/07/2016 18:46, Gordon Messmer ha scritto:
> On 07/05/2016 08:21 AM, Alessandro Baggi wrote:
>> What are the meaning of rules on pol.te
> https://wiki.centos.org/HowTos/SELinux
> The CentOS howto has some information, and links to additional resources.
> The policy should be pretty easy to read, though.  You have one rule,
> "allow bacula_t systemd_systemctl_exec_t:file execute."  Each word in
> that rule, except for "allow" is defined somewhere, and has to be
> loaded, so they are each individually loaded in the "require" block.
>> and why bacula can't do transiction between context?
> The easiest way to write a policy is to apply labels and run an
> application in permissive mode.  Using the AVCs that are logged, a new
> policy can be generated.  The short answer is, you're doing something
> that the people who developed the SELinux policy didn't do while writing
> the policy.  If the thing that you're doing is standard or best
> practice, you might consider that a bug and file a report to have the
> policy extended.  However, I suspect that restarting services is not a
> standard practice, so the local policy that you've generated is the best
> solution.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Thanks for your answer