On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: > Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit : >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I >> pretty much just use commands and not build policies. So I need some >> more information here. >> >> From what you provided below, how do I determine what is currently in >> place and how do I add your stuff (changing postgresql with mysql, nat.) >> >> thanks > Quick’n’(really) dirty SELinux howto: > 1) Run the service. fails due to missing selinux policy. > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M > myservice_policy Do you really mean 'service_pattern', or is this a placeholder for something like mysql? As I get 'Nothing to do' > 3) do what output says. (semodule -i myservice_policy.pp normally) > 4) goto 1. That way, you’ll create and allow step by step necessary > rights so your service ends up running normaly. > > The content I gave you is from mydovecot.te (human readable version > of .pp created by audit2allow). > > After a quick look at audit2allow man, it looks like you can get .pp by > doing: > make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it’ll > look after myservice_policy.te in PWD). > > HTH,