Re: New to this list, and new to SELinux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/18/2013 12:11 AM, Jean-David Beyer wrote:
I have been running Red Hat Enterprise Linux since 2004, starting with
RHEL 3. Later I upgraded to RHEL 5. When I needed a new computer, I got
RHEL 6 to run on it.

RHEL 6 runs with SELinux turned on by default and it is presenting me
with oneproblem, but my /var/log/messages file indicates I have _a lot_
of others.

Now according to Red Hat's documentation, I should report these as bugs,
but that seems a bit extreme if it is just a misconfiguration problem.

Missing Type Enforcement rules are usually caused by bugs in SELinux
policy, and should be reported in Red Hat Bugzilla. For Red Hat
Enterprise Linux, create bugs against the Red Hat Enterprise Linux
product, and select the selinux-policy component. Include the output
of the audit2allow -w -a and audit2allow -a commands in such bug
reports.
Should I really do that? And if so, just how? How do I specify the
problem in a way to be useful?

One problem is that I have a shell script, run by cron that sends an
email with mailx to me (on the same machine). That means it is run by
root. And the mail fails when cron runs it. It is adding an attachment
and SELinux says it is denied. Now when I run it myself, but logged in
as root, the e-mail works. I do not specifically want to solve that
problem here, but I do need to now how to change the system policy file,
wherever it is, so I do not need to continually make little ones, say by
running stuff like this:

# grep boinc_client /var/log/audit/audit.log | audit2allow -M myboinc
# semodule -i myboinc.pp

I also wish to make the change, if they are really required, permanent.

Any advice?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi,
I believe we should collect all AVC msgs. Could you execute

# semanage permissive -a system_mail_t

which will make the domain as permissive. So nothing will be denied and we will see AVC msgs in /var/log/audit/audit.log. Also I believe the local policy is better than a rebuild of the policy package.




--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux