Three things:
1. If one does the audit2allow ...
checkmodule -M -m -o mynewmodule.mod mynewmodule.te
semodule_package -o mynewmodule.pp -m mynewmodule.mod
semodule -i mynewmodule.pp
How does one undo that if mynewmodule.te is a stupid policy?
Doesn't the semodule make that part of the policy on every boot?
2. As a selinux wannabee and an selinux enthusiast, I want more of
my coworkers to use selinux. They are highly resistant and usually
have selinux=0 or enforce=0 on their boot commands.
Having a list of dumb audit2allow rules would be most helpful so
I could explain to them how to use selinux without it being too cumbersome.
I know, a lot depends on the situation, but some should make one nervous,
For example, if one saw the following:
allow unconfined_t root_t:file { read write append create};
one should be very nervous (I would think).
There are other suggestions that I think you all see that might
make you all chuckle. I would like a list of chucklers so I do not
accidentally become a comedian.
3. Are any of these potentially dangerous (my apologies if this is a stupid
request)?
allow automount_t unlabeled_t:dir search;
allow fsdaemon_t urandom_device_t:chr_file read;
allow groupadd_t devpts_t:chr_file { read write };
allow httpd_t default_t:dir search;
allow insmod_t src_t:dir search;
allow irqbalance_t user_home_t:dir search;
allow ldconfig_t var_t:dir write;
allow pam_console_t file_t:dir read;
allow semanage_t devpts_t:chr_file { read write };
allow setfiles_t devpts_t:chr_file { read write };
allow useradd_t devpts_t:chr_file { read write };
Thank you for your time and effort.
--
William Chimiak
Laboratory for Telecommunications Sciences
8080 Greenmead Road
College Park, MD
240-949-2778
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
