LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux create policy with audit2allow (https://www.linuxquestions.org/questions/linux-security-4/selinux-create-policy-with-audit2allow-713390/)

tinymark 03-21-2009 10:47 AM
SELinux create policy with audit2allow
 
Hello to all the members. This is my first question. I have Fedora 10 running SELinux in enforcing mode. I have encountered a number of denials. I expected this. When I installed the system, I set SELinux to disabled to set the booleans I required. I then reset the mode to enforcing. My question is, should I add a module for each denial as I run into them or wait until I have multiple things to allow. TIA

unSpawn 03-21-2009 10:59 AM
As Red Hat was one of the first distributions to champion SE Linux and Fedora inherited RH's documentation standards, the docs that came with your installation, the Fedora website and Wiki should be your first port of call. Next up, since posting here, could be searching LQ for any threads containing the term "selinux" and "audit2allow". Not that suprisingly, this was asked before. Not that I don't know the answer, don't want to answer or put this as an RTFM-like response but you know the fish slash fishing rod thingie in terms of selfreliance and such, right?

tinymark 03-21-2009 12:58 PM
Quote:
Originally Posted by unSpawn (Post 3483221)
As Red Hat was one of the first distributions to champion SE Linux and Fedora inherited RH's documentation standards, the docs that came with your installation, the Fedora website and Wiki should be your first port of call. Next up, since posting here, could be searching LQ for any threads containing the term "selinux" and "audit2allow". Not that suprisingly, this was asked before. Not that I don't know the answer, don't want to answer or put this as an RTFM-like response but you know the fish slash fishing rod thingie in terms of selfreliance and such, right?
Ok unSpawn, before I came here I Google'd the life out of my question. I searched this forum. I can get a million answers that tell me how to run audit2allow. I've read the docs for audit2allow, same thing. I know how to create the .te and .pp files. If there is a post here answers my question, I can't find it. If your fishing reference means Give a man a fish and he'll eat for a day. Teach a man to fish and he will eat for a lifetime. I know that one. As far as RTFM goes, I never ask questions without reading the manual.

unSpawn 03-21-2009 02:25 PM
As you understand what SE Linux governs and having weeded out most denials the default ways, sure, you could split them up and add a module fo each of them. OTOH, since it will be a local policy adjustment, but what's the benefit of having multiple modules? Usually it's not like you would manage SE Linux in a fine-grained way by regularly inserting, swapping or removing modules and wrt functionality it makes no difference: rules get loaded and that's about it.

tinymark 03-21-2009 04:17 PM
Quote:
Originally Posted by unSpawn (Post 3483373)
As you understand what SE Linux governs and having weeded out most denials the default ways, sure, you could split them up and add a module fo each of them. OTOH, since it will be a local policy adjustment, but what's the benefit of having multiple modules? Usually it's not like you would manage SE Linux in a fine-grained way by regularly inserting, swapping or removing modules and wrt functionality it makes no difference: rules get loaded and that's about it.
Thanks for your answer. I was concerned that I would end up with multiple modules. I figured out where I went wrong now. Instead of disabling SELinux I should have set it to permissive. That way I would have avoided several restarts and could have just run semodule everytime I bumped into a denial until I was done setting everything up.


All times are GMT -5. The time now is 09:43 PM.