[CentOS] SELinux breaks Squid's ssl_crtd helper
Gordon Messmer
gordon.messmer at gmail.comSat Mar 10 17:18:04 UTC 2018
- Previous message: [CentOS] SELinux breaks Squid's ssl_crtd helper
- Next message: [CentOS] SELinux breaks Squid's ssl_crtd helper
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 03/09/2018 05:18 AM, Nicolas Kovacs wrote: > Do allow this > access for now by executing: > # ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd > # semodule -i my-sslcrtd.pp > > Unfortunately the suggested solution doesn't work Start by running "ausearch -c 'ssl_crtd' --raw" by itself. Try to determine whether or not all of the affected files are mentioned in that output. Typically, to generate a complete policy, you'll need to run in permissive mode while you operate the system, so that all of the things that you want to allow are recorded. Many services that need a new policy will generate more than one AVC denial, and in enforcing mode they'll terminate or at least cease processing the labeled resources that they need after the first denial. In permissive mode, you should get a better list of exceptions that are required, because AVCs are recorded, but the application isn't actually denied permission to those resources. When your logs are complete, remove the old module and generate a new one according to the directions from sealert.
- Previous message: [CentOS] SELinux breaks Squid's ssl_crtd helper
- Next message: [CentOS] SELinux breaks Squid's ssl_crtd helper
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list