I had planned to do a write up about configuring SELinux under SL after having run into problems with it for the first time last week, but I got sidetracked.
TUV has a very detailed manual available here:
http://www.google.com/url?sa=t&sourc...no3Zy6dvMedh6w
Very good....very sleep inducing.....
For quick diag and fix options go to page 67 where it begins discussing audit2allow. This is not the fine tuning security option, nor is it 'anything goes' mode. But it seems a pretty good balance. This requires a few minutes while a ultra secure fix could take hours/days to fine-tune.
Under 5.6 my test system already had it installed. Under 6.0 I needed to load the package called policycoreutils-python
then run....
audit2allow -w -a
The above will parse the audit log and show you all of the offending events. You should probably switch to permissive mode for a while and give your target application a good workout. Otherwise you may be forced to rerun these steps several times.
you can also use grep to filter the audit log /var/log/audit/audit.log such as...
grep YaBB.pl | audit2allow -w -a
once you have identified the log lines you want to alter permissions to allow change the command to
grep YaBB.pl | audit2allow -w -M MyFile
after it thinks for awhile it should produce:
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i MyFile.pp
You can name MyFile whatever you want. The program actually produces two files, a .te and .pp. The .te is the human readable portion. To impliment just follow the direction.
semodule -i MyFile.pp
The fact that you can run SELinux for a long time in Enforcing mode and not know it is proof of how well it is implimented. The fact that it is such a pain when it encounteres something that it does not like, is also proof that it is doing it's job. Whenever you can, I would recommend adjusting the rules instead of turning them off
Lesezeichen