On Wed, 2020-06-24 at 12:12 +0200, Iñaki Ucar wrote: > Thanks, I got [1] and [2] more or less covered thanks to the output > of > the SELinux troubleshooter. The missing parts were how to get > policies > into a subpackage (and [3] explains this, thanks), and how to write a > rule just for my script, not for the whole python3 stack, and I'm > still missing that bit. So I can't exactly point you to some documents but the link below may help. The basic idea is you need to label your script and give it a type and then allow that type to access the type/action its trying to do. Like the httpd daemon has a type and there are then file types. and a process running in the httpd_t domain can read files but not talk to the network for example... Hope that helps. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-Security-Enhanced_Linux-SELinux_Contexts > > > [1] https://fedoraproject.org/wiki/SELinux/audit2why > > [2] https://fedoraproject.org/wiki/SELinux/audit2allow > > [3] https://fedoraproject.org/wiki/SELinux/IndependentPolicy > > -- > Iñaki Úcar > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
