On Tuesday 09 November 2004 23:12, Thomas Vander Stichele <thomas@xxxxxxxxxxxxx> wrote: > So I read some more of the howto. There's a binary called audit2allow > that could help me generate rules. So I run it, restart apache a few > times, but the binary doesn't print anything, not even with -v. Maybe > I'm using it wrong, but there's no way of finding out if I am. Here are some uses of it: dmesg|audit2allow audit2allow -d audit2allow < /var/log/messages Note that audit2allow only produces policy, you have to then include that in your policy tree and recompile. To do that install selinux-policy-targeted-sources and put a file named /etc/selinux/targeted/src/policy/domains/misc/custom.te with your policy and then run "make -C /etc/selinux/targeted/src/policy load" to compile and load the policy. > If all RH developers, who have "easy" access to the SELINUX > people at Red Hat, were to use it, they'd have basic knowledge about it. > When the next circle of developers - outside of redhat, but having links > to inside - gets hit, they do the same. And so on. > > It looks to me like the first circle is already completely broken, hence > halting the dissemination of information and increasing the annoyance > level outside of Red Hat. It won't be long before sysadmins and users > ignore the default and turn it off entirely. There is no requirement that you learn about SE Linux from Red Hat employees. You can contact the Red Hat employees who work on SE Linux just as easily as any other Red Hat employee. Send email to rcoker@xxxxxxxxxx and I'll answer your questions about SE Linux and Fedora with the same priority that I would give to the same questions from a Red Hat employee. If you want a good and fast response from me the best thing to do is to post to a mailing list (such as this one) and CC me on this address. As you will notice I am a bit behind in my mailing list email, if your original message had been CC'd to me you would have had a reply a long time ago. > I understand that FC3 is relatively fresh and that not everything can be > in place from the start. > I just want to get a good picture of where SELINUX is at and how to > solve issues, so that I can try to fix stuff myself, and explain to > other people. Otherwise I'll just have to turn off SELINUX myself, and > recommend the same to others when questions are asked about it. SE Linux is in good shape technically. The documentation is lacking, all the people who know the code are very busy doing coding. That leaves a shortage of people who have the ability and time to write documentation. Things are improving however, there is quite a bit of documentation going in other places, one is Linux Journal. We should probably make a page of links to all reliable sources of information. My web site has some of the needed links. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
