-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 01:13 PM, m.roth@xxxxxxxxx wrote: > Daniel J Walsh wrote: >> On 12/07/2010 12:46 PM, m.roth@xxxxxxxxx wrote: >>> Daniel J Walsh wrote: >>>> On 12/07/2010 11:59 AM, Benjamin Franz wrote: >>>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote: > <mvnch> >>> What have you done for folks who have third-party software, either F/OSS >>> or COTS, or in-house developed stuff, *none* of which was written with >>> selinux in mind, and is *not* going to be rewritten any time soon? >>> You've seen me on the selinux list, and I have yet to figure out why I > see the >>> complaints about contexts, since they *appear* to be temp files, and I >>> don't know where they're located, or where the CGI scripts are that >>> create them are, and *all* of it's got the added complexity that some > of that >>> are on NFS-mounted directories. >> >> We have attempted to work with them, setup default labeling for them >> when we know about the problems, embarrass them when they say you need >> to disable SELInux. Red Hat is working on new developer tools to help >> third party developers work on RHEL systems. I am not sure what else I >> can do to get them to work with the security systems in place on RHEL. > > Ok, it's good to know you are thinking about that. How 'bout a tool, point > it at a directory, and it reports only the files/directories that are > default, or break policy, or that *might* suggest where there's a problem > (scripts in this directory will write default_t if they run anywhere but > /here/ohly/, etc? > > mark > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos I think you would need to further explain. We can tell you what file directory is mislabeled # restorecon -R -N -v PATH We can tell which types have access to which types seseach -A -s httpd_t -t default_t Are you looking for something like What access does /usr/bin/httpd have to /myweb/html? What types does /usr/bin/httpd have write access to? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+jpEACgkQrlYvE4MpobM/ZwCg1eA8BXjjcevAUfPiMHVXyyvj GAsAoIAroEzhxQEnhPb9Dnhinof1yV55 =/hYg -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos