On Mon, 2012-04-09 at 19:38 +0200, Gabriele Pohl wrote: > Hi all, > > I've installed a software from the sources on a CentOS 6.2 box > and would like to setup a SELinux policy for it. > > As I already use the software on my Fedora 15 server > Source RPM : BackupPC-3.2.1-7.fc15.src.rpm > I would like to use the wisdom from the existing policy module: > /usr/share/selinux/packages/BackupPC/BackupPC.pp > > I found this forum thread: > http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316 > > > which ended with the hint: > "Use the tools from the setools package." > > I tried this, but wasn't successful. > All the time running into errors telling me, > that these cannot open the policy file, > as it is no "base policy" > > Can you help with instructions? > Or tell me, where to find the .te file of the Fedora package? > > Thanks in advance and kind regards > > Gabriele > > PS: I found this instruction on how to generate the .pp > from the audit messages. So if there is really no way > to /decompile/ the .pp I will go this way: > http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html There is currently no way to disassemble .pp files as far as i know See if the source is enclosed with the source rpm. Other options are: 1. disable that backuppc policy module (semodle -d BackupPC) and write your own (backuppc pretty much needs full access to the file system often and it needs many permission so its not easy to write policy for. 2. Extent the BackupPC module. Use [ ... ] | semodule -M mybackuppc; sudo semodule -i mybackuppc.pp or do it manually create a mybackuppc.te file, declare a policy module, import requires types, attributes etc. add policy rules and build and install (make -f /usr/share/selinux/devel/Makefile mybackuppc.pp; sudo semodule -i mybackuppc.pp 3. make backuppc permissive (unprotected) semanage permissive -a backuppc_t 4. disable the module which causes selinux to run it in the init script domain which is unprotected/unrestricted (semodule -d BackupPC > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
