On Tue, Dec 08, 2009 at 10:41:51AM -0800, John Oliver wrote:
I don't know if there's a better way to do this, but I'm
trying to get
nagios working with selinux (CentOS 5.4 Final) I try to run it, get an
error, create a policy module, install it, and return to step one. It's
getting pretty ridiculous:
Yes common issue with developing policy. What developers usually do it develop policy in
permissive mode or in fedora11 and up using permissive domains. These methods allow you to
accumulate all or atleast most avc denials in one runs. This is because permissive
mode/domains allow the access but log "would be denials". So the process usually
works but youll still get to see what SELinux would have denied.
But apart from that. You can also develop policy in enforcing mode. Although since selinux
actually denies every permission the process cannot proceed. So youll write a rule, reload
modified policy, appends the next rule, reload and so forth an so forth.
An easier way to do that is to just modify your source policy (the .te, .if and .fc
files), rebuild the binary policy and install it again. That will overwrite the installed
policy.
echo "policy_module(example, 1.0.0)" > example.te;
make -f /usr/share/selinux/devel/Makefile example.pp
sudo semodule -i example.pp
( .. later you figure out more policy is required .. )
( .. appending some stuff to existing source policy example.te file .. )
echo "type example_t;" >> example.te;
echo "type example_exec_t;" >> example.te;
echo "init_daemon_domain(example_t, example_exec_t)" >> example.te;
( .. building a binary module again this time from modified source policy example.te file
.. )
make -f /usr/share/selinux/devel/Makefile example.pp
( .. installing modified example.pp binary module *again*, whichif policy version is the
same, overwrites the existing installed example.pp)
That way you will end up with a single module with all your mods for a particular domain.
[joliver@mda-services4 ~]$ sudo /usr/sbin/semodule -l | grep nagios
nagios 1.1.0
nagios10 1.0
nagios2 1.0
nagios3 1.0
nagios4 1.0
nagios5 1.0
nagios6 1.0
nagios7 1.0
nagios8 1.0
nagios9 1.0
When I finally discover all of the problems... is there a way to dump
all of those modules into one? Both for my sanity, and so that I can
maybe submit that module to CentOS so the next poor SOB who tries to do
this doesn't have to reinvent the wheel?
Or is there another, better, way to find all of the various rules that
are needed in one fell swoop?
--
***********************************************************************
* John Oliver
http://www.john-oliver.net/ *
* *
***********************************************************************
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list