Hi Stephen and all, I searched for a possibility to see what rules are defined in the Selinux module for munin. After reading a lot of man pages of all the Selinux tools that I found on my system, without a result for this issue, I took a look to the selinux knowledge base here: http://fedoraproject.org/wiki/SELinux and saw "seedit" selinux policy editor (and accompanying simplified policy language) http://seedit.sourceforge.net/ "You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, Cent OS5. It will not affect existing SELinux policies so it is possible to revert to the default settings easily." Hmmm, at the first call it asks for initialization. I agreed. It needs a reboot and after that, all policy rules were replaced by *simple* ones. And mode is now *permissive* not longer *targeted*. I find no possibility to load a module for edit. (as e.g. munin targeted module). So this experiment was useless for my purpose. After switching the mode *targeted* again (but no reboot since now) I see none of the old modules. All contexts are *unconfined*. How can I get the original state back? Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley: > On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote: > > I use Munin (http://munin.projects.linpro.no/) > > Now my first question: > > > > Plugin smart_ is written in Python. > > It calls "smartctl" from the smartmontools package > > (http://smartmontools.sourceforge.net/) to read the > > values of the SMART-Attributes from the harddisks. > > > > #============= munin_t ============== > > allow munin_t fixed_disk_device_t:blk_file getattr; > > ------------------------------- > > > Ideally the munin_t domain itself shouldn't need any access to the raw > device - it should transition into the existing domain for smartd > (fsdaemon_t) upon executing the smartctl program. How can this be done? > I don't know offhand > if the existing munin policy module has such a domain transition rule. I would like to look at the rules definded in the policy module. How can I do this? > However, mere getattr access (i.e. the ability to stat the file) isn't a > big deal, so you could likely grant that one w/o difficulty. What would > be more problematic is allowing read or write access to the raw device. ok, thanks! I'll add this rule as soon as I have my original states restored on the system. Kind regards, Gabriele -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
