On 21/12/09 02:25, Steve Blackwell wrote:
On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift<domg472(a)gmail.com> wrote:
> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
>
>> I have a UPS that sends an SNMP trap when the main power goes out.
>> I wrote my snmptrapd.conf file to execute a script when the trap is
>> received. The script simply calls zenity to pop up a message.
>>
>> Here's my problem. If I start snmptrapd from the command line
>> everything works beautifully but if I have the system start it at
>> boot time or via System->Administration->Services, the trap gets
>> logged
>>
> Because when you start it manually it gets executed in the users
> environment which is unrestricted/ unprotected in el5
>
OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...
>
>> in /var/log/messages but the zenity window doesn't get displayed
>> and I get these SELinux messages in /var/log/messages.
>>
>> SELinux is preventing the zenity from using potentially mislabeled
>> files (XO)...
>>
>> SELinux is preventing zenity (snmpd_t) "name_connect"
to<Unknown>
>> <xserver_port_t>...
>>
>> I've looked at the ouput of
>>
>> # ps -ef | grep snmptrapd
>>
>> and it is identical in both cases so I don't understand why one
>> works and the other doesn't. I tried
>>
>> # cat /var/log/messages | audit2allow -m local
>>
> The avc denial gets logged to .:
>
> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> | semodule -i mysnmp.pp
>
This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.
Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.
I have a few questions if you have the time to answer them.
I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
which I found quite useful but they are way out of date. Is there
anything comparable that is current?
My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?
I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?
Is there a way to "see" what a .pp file is doing? A disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.
Thanks,
Steve
>> but that just produced a file that said:
>>
>> module local 1.0;
>>
>> and nothing else.
>>
>> I'm running RHEL5.4 with SELinux in enforcing mode.
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Steve
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Steve,
we have two selinux docs in the fedora docs at
http://docs.fedoraproject.org/
Also maybe Daniels Blog might be useful to you @
http://danwalsh.livejournal.com/
There are more, but I cant think of them at the moment. If you harass
fenris02 in #fedora, and ask him for the SElinux links,he has got a
script that
blahs them out.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Thawte Notary
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org