SELinux / RH4 - making an amendment to a pre-compiled policy
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SELinux / RH4 - making an amendment to a pre-compiled policy
We have a RH4 based system that has been delivered with a SELinux policy installed. On inspection of the install media, the SELinux policy has been installed from an RPM file and contains some Contexts files (in plain text format) and the policy in a pre-compiled binary format.
We have added sshd to this system but have found that the policy prevents access to the ssh port when SELinux is in Enforcing mode.
I have run audit2allow against the audit.log and have an exception which would seem to get round this but I cannot find any way to update the policy with the exception. We do not have the original source text that was used to create the compiled binary.
Most of the methods I have found seem to be based on RH5. Does anyone have any ideas?
you have managed to remove the OP's question from the zero-reply list, without giving a shred of help. He isn't asking for anyone's opinion or preferences about SELinux, and I bet he's aware that it's complicated, but by the sounds of things, he's got somewhat of a handle on the situation, and needs some help.
Do you have any constructive advice to offer, regarding the particular question he asked?
Just in case anyone is interested, it would seem the answer to my question is...you can't.
We have since been provided with the source used to produce the binary, so we are now using that to produce a customised policy for our implementation.
By default red hat runs a monolithic policy. if you want to use audit2allow you must first compile a modular policy. Once you have a modular policy audit2allow can then create a module that can just be loaded on the fly (there are some security conserns with doing so) but that is what is required in order to do so.
can you install "SELinuxTroubleshooter" in rhel 4 ?
You really don't need that as the "policycoreutils" package contains 'audit2allow' which you do need as slimm609 already said.
Quote:
Originally Posted by DorsetBlue
I have run audit2allow against the audit.log and have an exception which would seem to get round this but I cannot find any way to update the policy with the exception.
The really, really bad way (wrt security concerns) would be to run 'audit2allow -M localpolicy < /var/log/audit/audit.log && semodule -i localpolicy'. Better isolate the messages you need to react to (ausearch using session or start and end time or other filters) and pipe those select messages through audit2allow.
* If you have the AVC lines post them here, preferably in BB code tags.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.