Re: How to build clamav SRPM and RPM with calmav tarbal - CentOS 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 2007-06-25 at 09:16 -0400, Jim Perrin wrote:
> Rebuilding the code won't solve the problem. You'll have to modify the
> selinux rules so that these actions are allowed. For Centos5 and rhel5
> this is pretty easy.
> 
> 1. Enable selinux in permissive mode, and capture the selinux error
> messages. They'll likely be in /var/log/audit/audit.log or
> /var/log/messages
> 2. Run audit2allow -i selinux.log -M localpolicy
> 3. Next you load the module you just created with 'semodule -i localpolicy.pp'
> 
> Lather, rinse, repeat.

Actually, I don't think this is a very good idea (I know it is suggested
in upstream documentation). For instance, suppose that clamav is tagged
as, say 'bin_t', and executing clamav was rejected. The above will
usually add a allow rule for executing bin_t binaries for the context of
the caller. This obviously punches a big hole in a policy if it does not
allow such thing.

Make your own policy modules for local policy (you could create a start
with command (2)), but add and check rules and contexts manually.
audit2allow is a nice tool to see what was denied, but its output should
not be copied verbatim.

-- Daniel

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux