On Thu, 2013-01-17 at 18:11 -0500, Jean-David Beyer wrote: > I have been running Red Hat Enterprise Linux since 2004, starting with > RHEL 3. Later I upgraded to RHEL 5. When I needed a new computer, I got > RHEL 6 to run on it. > > RHEL 6 runs with SELinux turned on by default and it is presenting me > with oneproblem, but my /var/log/messages file indicates I have _a lot_ > of others. > > Now according to Red Hat's documentation, I should report these as bugs, > but that seems a bit extreme if it is just a misconfiguration problem. > > > Missing Type Enforcement rules are usually caused by bugs in SELinux > > policy, and should be reported in Red Hat Bugzilla. For Red Hat > > Enterprise Linux, create bugs against the Red Hat Enterprise Linux > > product, and select the selinux-policy component. Include the output > > of the audit2allow -w -a and audit2allow -a commands in such bug > > reports. > > Should I really do that? And if so, just how? How do I specify the > problem in a way to be useful? > > One problem is that I have a shell script, run by cron that sends an > email with mailx to me (on the same machine). That means it is run by > root. And the mail fails when cron runs it. It is adding an attachment > and SELinux says it is denied. Now when I run it myself, but logged in > as root, the e-mail works. I do not specifically want to solve that > problem here, but I do need to now how to change the system policy file, > wherever it is, so I do not need to continually make little ones, say by > running stuff like this: > > # grep boinc_client /var/log/audit/audit.log | audit2allow -M myboinc > # semodule -i myboinc.pp > > I also wish to make the change, if they are really required, permanent. > > Any advice? You could fork the rhel selinux-policy package (you can download the selinux-policy source rpm. use rpmbuild to prep it. then modify it to your requirements and repackage it. Then distribute the repackages rpms It is pretty easy to do with a little knowledge about rpm, selinux-policy and a vcs I would, however, probably just create a new domain, make that a cron_system_entry and write policy to allow that domain what it needs rather than extending the generic cron system domain But replacing the existing cron module is probably also an option. semodule allows one to -r (remove) and -d (disable) optional modules this enables one to replace them with modified versions > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux