Ah, sorry I should have been clearer this is on a RHEL 5 setup, so as far as I know this all has to be generated by hand, unless it is possible for me to pull the module from fedora, then of course I would have to make my ruby and passenger install conform to what is expected. Yeah I know this is not a policy per se, and this is on of my rubs with SELinux, it takes a lot of research and understanding to get to the point of being able to generate policy that anyone can have confidence in. It was a bit simpler albeit looser with DAC, and sadly we just end up hoping that someone who knows what they are doing will make a policy for us, or sit down and study SELinux for a month or two and take a whack at it ourselves. Any good book recommendations? I have read through SELinux by Example as that seems to be the most recommended, but there doesn't seem to be much published in the last 4 years or so. I don't like what audit2allow has done here, it isn't audit2allow's, fault it is just a matter of the huge number of requests that passenger is putting through the system, why for instance does it need access to syslogd_t, or crond_t, or snmpd_t? Trying to deduce from where these access calls are coming and if/why they are needed is difficult for me. Anyway, I am sure Fedora will get there, but this little module may have to suffice for my needs (back in the olden days) on RHEL 5. -Erinn -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
