Hi Stephen and all,
I searched for a possibility to see
what rules are defined in the Selinux
module for munin.
After reading a lot of man pages of all the Selinux tools
that I found on my system, without a result for this issue,
I took a look to the selinux knowledge base here:
and saw "seedit" selinux policy editor (and accompanying simplified
"You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4,
Cent OS5. It will not affect existing SELinux policies so it is
possible to revert to the default settings easily."
Hmmm, at the first call it asks for initialization.
I agreed. It needs a reboot and after that, all
policy rules were replaced by *simple* ones.
And mode is now *permissive* not longer *targeted*.
I find no possibility to load a module for edit.
(as e.g. munin targeted module). So this experiment
was useless for my purpose.
After switching the mode *targeted* again
(but no reboot since now) I see none of the
old modules. All contexts are *unconfined*.
How can I get the original state back?
Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley:
On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
> I use Munin (http://munin.projects.linpro.no/
> Now my first question:
> Plugin smart_ is written in Python.
> It calls "smartctl" from the smartmontools package
) to read the
> values of the SMART-Attributes from the harddisks.
> #============= munin_t ==============
> allow munin_t fixed_disk_device_t:blk_file getattr;
Ideally the munin_t domain itself shouldn't need any access to the raw
device - it should transition into the existing domain for smartd
(fsdaemon_t) upon executing the smartctl program.
How can this be done?
I don't know offhand
if the existing munin policy module has such a domain transition rule.
I would like to look at the rules definded in
the policy module. How can I do this?
However, mere getattr access (i.e. the ability to stat the file)
big deal, so you could likely grant that one w/o difficulty. What would
be more problematic is allowing read or write access to the raw device.
ok, thanks! I'll add this rule as soon
as I have my original states restored on the system.