On Sun, Dec 20, 2009 at 09:25:58PM -0500, Steve Blackwell wrote: > On Fri, 18 Dec 2009 10:11:53 +0100 > Dominick Grift <domg472@xxxxxxxxx> wrote: > > > On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote: > > > I have a UPS that sends an SNMP trap when the main power goes out. > > > I wrote my snmptrapd.conf file to execute a script when the trap is > > > received. The script simply calls zenity to pop up a message. > > > > > > Here's my problem. If I start snmptrapd from the command line > > > everything works beautifully but if I have the system start it at > > > boot time or via System->Administration->Services, the trap gets > > > logged > > > > Because when you start it manually it gets executed in the users > > environment which is unrestricted/ unprotected in el5 > > OK, I see that now. I got a bit wrapped around the axel because > snmptrapd sometimes creates a file (I'm not quite sure > when) called /var/net-smpd/snmptrapd.conf and if I run > # /etc/rc.d/init.d/snmptrapd restart > as root it gets created with a snmpd_var_lib_t type but if I just > start snmptrapd from the command line as root it gets created with a > different type and then the system can't restart snmptrapd because it > doesn't have permission to write to that file. ... I think... > > > > > > in /var/log/messages but the zenity window doesn't get displayed > > > and I get these SELinux messages in /var/log/messages. > > > > > > SELinux is preventing the zenity from using potentially mislabeled > > > files (XO)... > > > > > > SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown> > > > <xserver_port_t>... > > > > > > I've looked at the ouput of > > > > > > # ps -ef | grep snmptrapd > > > > > > and it is identical in both cases so I don't understand why one > > > works and the other doesn't. I tried > > > > > > # cat /var/log/messages | audit2allow -m local > > > > The avc denial gets logged to .: > > > > ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp > > | semodule -i mysnmp.pp > > This was also confusing me because I had auditd turned off and so the > avc denials are supposed to go to /var/log/messages but it seems that > some still went to /var/log/audit/audit.log. > > Anyhow running this command helped in that I don't get any more avc > denials logged but I still don't see my dialog popup. I'm going to try > this again starting with a clean log. > > I have a few questions if you have the time to answer them. > > I have been reading this: > http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html > and this: > http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html > which I found quite useful but they are way out of date. Is there > anything comparable that is current? I recently wrote a bit about the policy structure in Fedora 12 , that also applies to 11 and to some degree el5. its here: http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_Fedora_12.pdf its not detailed though. > > My understanding is that a .te is a policy configuration file, a text > file and that a .pp file is a policy package, a binary file. Does > the .te file get "compiled" into a .pp file and if so how does this > happen? the .te , .fc and .if files make a complete source policy module. yes. A binary representation of this (.pp) is what gets loaded "into the kernel" This is done via the checkmodule and semodule_package commands. We usually use the installed /usr/share/selinux/devel/Makefile to do this (requires selinux-policy-devel on el5) > I read that the policy directory for Fedora systems is > /etc/security/selinux/src/policy > but neither the RHEL5.4 system at work nor my Fedora 11 system at home I think that is old (el4/fc4/5?) > has such a directory and the only .te file is in > /usr/share/selinux/devel. > Where is the accepted location to put .te files? > .te files is source policy. It should not get installed. The only source policy file that can get installed is the .if source policy file. This file is kind of like a header file. It has shared policy that can be used by other modules to interact with that modules' type. > Is there a way to "see" what a .pp file is doing? A disassembly of > sorts. I'd like to look at some examples. There are plenty of .pp files > in /etc/selinux/targeted/modules/active/modules. The is not pp disassembler but the sesearch command can be used to query the installed policy. (part of setools) > > Thanks, > Steve > > > > > > but that just produced a file that said: > > > > > > module local 1.0; > > > > > > and nothing else. > > > > > > I'm running RHEL5.4 with SELinux in enforcing mode. > > > > > > Any help would be appreciated. > > > > > > Thanks, > > > Steve > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgptqU1fd0H1B.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list