On 21/12/09 02:25, Steve Blackwell wrote:
On Fri, 18 Dec 2009 10:11:53 +0100 Dominick Grift<domg472@xxxxxxxxx> wrote:On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:I have a UPS that sends an SNMP trap when the main power goes out. I wrote my snmptrapd.conf file to execute a script when the trap is received. The script simply calls zenity to pop up a message. Here's my problem. If I start snmptrapd from the command line everything works beautifully but if I have the system start it at boot time or via System->Administration->Services, the trap gets loggedBecause when you start it manually it gets executed in the users environment which is unrestricted/ unprotected in el5OK, I see that now. I got a bit wrapped around the axel because snmptrapd sometimes creates a file (I'm not quite sure when) called /var/net-smpd/snmptrapd.conf and if I run # /etc/rc.d/init.d/snmptrapd restart as root it gets created with a snmpd_var_lib_t type but if I just start snmptrapd from the command line as root it gets created with a different type and then the system can't restart snmptrapd because it doesn't have permission to write to that file. ... I think...in /var/log/messages but the zenity window doesn't get displayed and I get these SELinux messages in /var/log/messages. SELinux is preventing the zenity from using potentially mislabeled files (XO)... SELinux is preventing zenity (snmpd_t) "name_connect" to<Unknown> <xserver_port_t>... I've looked at the ouput of # ps -ef | grep snmptrapd and it is identical in both cases so I don't understand why one works and the other doesn't. I tried # cat /var/log/messages | audit2allow -m localThe avc denial gets logged to .: ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp | semodule -i mysnmp.ppThis was also confusing me because I had auditd turned off and so the avc denials are supposed to go to /var/log/messages but it seems that some still went to /var/log/audit/audit.log. Anyhow running this command helped in that I don't get any more avc denials logged but I still don't see my dialog popup. I'm going to try this again starting with a clean log. I have a few questions if you have the time to answer them. I have been reading this: http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html and this: http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html which I found quite useful but they are way out of date. Is there anything comparable that is current? My understanding is that a .te is a policy configuration file, a text file and that a .pp file is a policy package, a binary file. Does the .te file get "compiled" into a .pp file and if so how does this happen? I read that the policy directory for Fedora systems is /etc/security/selinux/src/policy but neither the RHEL5.4 system at work nor my Fedora 11 system at home has such a directory and the only .te file is in /usr/share/selinux/devel. Where is the accepted location to put .te files? Is there a way to "see" what a .pp file is doing? A disassembly of sorts. I'd like to look at some examples. There are plenty of .pp files in /etc/selinux/targeted/modules/active/modules. Thanks, Stevebut that just produced a file that said: module local 1.0; and nothing else. I'm running RHEL5.4 with SELinux in enforcing mode. Any help would be appreciated. Thanks, Steve -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Steve, we have two selinux docs in the fedora docs at http://docs.fedoraproject.org/ Also maybe Daniels Blog might be useful to you @ http://danwalsh.livejournal.com/There are more, but I cant think of them at the moment. If you harass fenris02 in #fedora, and ask him for the SElinux links,he has got a script that
blahs them out. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Thawte Notary For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
