-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/17/2011 09:31 PM, Erinn Looney-Triggs wrote: > Ah, sorry I should have been clearer this is on a RHEL 5 setup, so as > far as I know this all has to be generated by hand, unless it is > possible for me to pull the module from fedora, then of course I would > have to make my ruby and passenger install conform to what is expected. > > Yeah I know this is not a policy per se, and this is on of my rubs with > SELinux, it takes a lot of research and understanding to get to the > point of being able to generate policy that anyone can have confidence > in. It was a bit simpler albeit looser with DAC, and sadly we just end > up hoping that someone who knows what they are doing will make a policy > for us, or sit down and study SELinux for a month or two and take a > whack at it ourselves. Any good book recommendations? I have read > through SELinux by Example as that seems to be the most recommended, but > there doesn't seem to be much published in the last 4 years or so. Before you there were several others with issues identical to yours. I offered my help to both but after a while they gave up and left me with an unfinished policy. I do not use ruby on rails nor do i use passenger, and i have no experience with either one of those. To create a policy for some application one needs to be able to test and configure it properly. Without that help i am unable to write a good policy. This is what i have so far: http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary mgrepl is going to use what i have to create a better policy for Fedora. However, with that we would still need to port it to el5, and we should probably also make it compatible with the non-packaged version available on ruby's website (it has files in different paths etc) all-in-all a lot of work if you ask me. > I don't like what audit2allow has done here, it isn't audit2allow's, > fault it is just a matter of the huge number of requests that passenger > is putting through the system, why for instance does it need access to > syslogd_t, or crond_t, or snmpd_t? Trying to deduce from where these > access calls are coming and if/why they are needed is difficult for me. > > Anyway, I am sure Fedora will get there, but this little module may have > to suffice for my needs (back in the olden days) on RHEL 5. Yes its not perfect but its something. > -Erinn > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk00qSoACgkQMlxVo39jgT9wFwCdGR4v1aJaox7/y20NJxaSmrs+ Ff0AnjrRnXgepBAV4XwBlVjaz2u/4Dox =n2Ow -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
