On 03Jul2011 17:35, Paul Allen Newell <pnewell@xxxxxxxxxx> wrote:
| On 7/3/2011 5:15 PM, Cameron Simpson wrote:
| > On 03Jul2011 15:02, Paul Allen Newell<pnewell@xxxxxxxxxx> wrote:
| > | On 7/3/2011 2:54 PM, Paul Morgan wrote:
| > |>it really is bad form to run a script out of root's home
| > |>directory.
| >
| > A little untidy, sure. But... [...]
| >
| > And regarding the "why does selinux log so much with setenforce 0":
| > selinux isn't off, it is just in "permissive" mode - report all
| > violations of the rules but don't prevent them. It is a debugging mode;
| > the intent is that you correct your rules. You can also run the system
| > with selinux genuinely off, though I think it may need a reboot once
| > selinux has been started at all.
|
| Regarding where to put it, I was already thinking /usr/local/{bin,sbin},
| just wanted to figure out whether bin or sbin was better (gut instinct
| would be bin)
My habit for a virus scanner would be sbin; these days bin is for general
purpose commands which sbin is for administrative commands (eg setenforce)
and daemons (eg sshd).
In the distant past the "s" meant "standalone" or "static(ly-linked)";
things that would work before anything other than the (usually quite
small) root filesystem was first mounted. So: core utilities needed for
bootstrap (thus "standalone") and also this stuff needed to run before
the shared libraries from /usr/lib were available (so "staticly linked"
- the library code inbuilt to the executable); in those days /usr was
normally a separate filesystem - indeed that's the whole reason we
have both / (/bin, /sbin etc) and /usr (/usr/bin, /usr/sbin et al) -
they were once separate filesystems.
Of course, the standalone meaning came first, predating shared library
support...
| I have managed to figure out that there is this mode known as
| "permissive" and that sure cleared up alot of my "on/off" assumptions.
Yah. See the file /etc/sysconfig/selinux on rehdat derived systems like
Fedora (maybe "derived" should be "related" or "precursor" or "bleeding
edge" here, but...)
| I have been reading up about rules and audit2allow. Makes sense in
| theory, but when I looked at the rule that was generated with
| audit2allow, its 365 lines long. Plus trying multiple reboots gives me
| warnings about different files. When rebooting, I see 50 warnings; when
| I run as root, I see @270 warnings (only /home for reboot; all searched
| directories for running in terminal). The 365 is only for the 50 warning
| version ...
I expect it varies depending on what clamscan thinks is needs to scan
each time.
Do you run prelink? It hacks binaries about on a regular basis and may
be causing clamscan to be more active.
| I can't see any way to temporarily disable selinux from catching
| violations while I do the clamscan (though the pop-up asks me if I want
| alerts, it doesn't look like getting an alert prevents the violation
| from being caught)
|
| My first question is whether there is a way to go "allow clamscan_t *
| {read open search getattr}" so that clamscan will have permission to
| examine anything on the system (which is what I would want with a virus
| scan, right?).
That's what I would look for. I am not an selinux guru and can't help
you with the syntax there, but I would think you're on the right track
with that rule.
| I discovered that the write warnings were for the debug
| writing to *.out and *.err per your suggestion, so I gratefully don't
| have to give clamscan write clearance.
Excellent, since it seems to use its own log file anyway.
| The second question is why wouldn't selinux be defaulted to allow clamav
| given that's what Fedora seems to be suggesting/using?
Maybe it is, if it runs from /etc/init.d or something. Is clamav a
fedora supplied package? If so, why is it run from rc.local instead of
via a conventional presupplied chkconfig-controlled start/stop script?
Cheers,
--
Cameron Simpson <cs@xxxxxxxxxx> DoD#743
http://www.cskk.ezoshosting.com/cs/
Third, I propose prompt action on legislation extending and reforming the
state's asset seizure law. The current law, which is a valuable tool for law
enforcement in its fight against drug criminals, is set to expire on January
1st. This law provides over $30 million a year to law enforcement agencies,
and should be quickly renewed. - Kathy Brown
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
