LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2009, 10:47 AM   #1
tinymark
LQ Newbie
 
Registered: Mar 2009
Posts: 8

Rep: Reputation: 0
SELinux create policy with audit2allow


Hello to all the members. This is my first question. I have Fedora 10 running SELinux in enforcing mode. I have encountered a number of denials. I expected this. When I installed the system, I set SELinux to disabled to set the booleans I required. I then reset the mode to enforcing. My question is, should I add a module for each denial as I run into them or wait until I have multiple things to allow. TIA
 
Old 03-21-2009, 10:59 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
As Red Hat was one of the first distributions to champion SE Linux and Fedora inherited RH's documentation standards, the docs that came with your installation, the Fedora website and Wiki should be your first port of call. Next up, since posting here, could be searching LQ for any threads containing the term "selinux" and "audit2allow". Not that suprisingly, this was asked before. Not that I don't know the answer, don't want to answer or put this as an RTFM-like response but you know the fish slash fishing rod thingie in terms of selfreliance and such, right?
 
Old 03-21-2009, 12:58 PM   #3
tinymark
LQ Newbie
 
Registered: Mar 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
As Red Hat was one of the first distributions to champion SE Linux and Fedora inherited RH's documentation standards, the docs that came with your installation, the Fedora website and Wiki should be your first port of call. Next up, since posting here, could be searching LQ for any threads containing the term "selinux" and "audit2allow". Not that suprisingly, this was asked before. Not that I don't know the answer, don't want to answer or put this as an RTFM-like response but you know the fish slash fishing rod thingie in terms of selfreliance and such, right?
Ok unSpawn, before I came here I Google'd the life out of my question. I searched this forum. I can get a million answers that tell me how to run audit2allow. I've read the docs for audit2allow, same thing. I know how to create the .te and .pp files. If there is a post here answers my question, I can't find it. If your fishing reference means Give a man a fish and he'll eat for a day. Teach a man to fish and he will eat for a lifetime. I know that one. As far as RTFM goes, I never ask questions without reading the manual.
 
Old 03-21-2009, 02:25 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
As you understand what SE Linux governs and having weeded out most denials the default ways, sure, you could split them up and add a module fo each of them. OTOH, since it will be a local policy adjustment, but what's the benefit of having multiple modules? Usually it's not like you would manage SE Linux in a fine-grained way by regularly inserting, swapping or removing modules and wrt functionality it makes no difference: rules get loaded and that's about it.
 
Old 03-21-2009, 04:17 PM   #5
tinymark
LQ Newbie
 
Registered: Mar 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
As you understand what SE Linux governs and having weeded out most denials the default ways, sure, you could split them up and add a module fo each of them. OTOH, since it will be a local policy adjustment, but what's the benefit of having multiple modules? Usually it's not like you would manage SE Linux in a fine-grained way by regularly inserting, swapping or removing modules and wrt functionality it makes no difference: rules get loaded and that's about it.
Thanks for your answer. I was concerned that I would end up with multiple modules. I figured out where I went wrong now. Instead of disabling SELinux I should have set it to permissive. That way I would have avoided several restarts and could have just run semodule everytime I bumped into a denial until I was done setting everything up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SeLinux local policy won't work ocgltd Linux - Security 5 09-16-2008 02:10 PM
Advice on SElinux Policy Editors? mrbinky3000 Linux - Security 1 06-03-2007 02:46 PM
ncpfs selinux policy rhoekstra Linux - Security 2 10-17-2006 03:58 AM
selinux policy or attribute ?? dansawyer Linux - Security 3 09-12-2006 02:08 AM
selinux:policy.conf silvercloud Linux - Enterprise 0 08-23-2005 04:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration