On Sun, Dec 20, 2009 at 09:25:58PM -0500, Steve Blackwell wrote:
On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift <domg472(a)gmail.com> wrote:
> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> > I have a UPS that sends an SNMP trap when the main power goes out.
> > I wrote my snmptrapd.conf file to execute a script when the trap is
> > received. The script simply calls zenity to pop up a message.
> >
> > Here's my problem. If I start snmptrapd from the command line
> > everything works beautifully but if I have the system start it at
> > boot time or via System->Administration->Services, the trap gets
> > logged
>
> Because when you start it manually it gets executed in the users
> environment which is unrestricted/ unprotected in el5
OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...
>
> > in /var/log/messages but the zenity window doesn't get displayed
> > and I get these SELinux messages in /var/log/messages.
> >
> > SELinux is preventing the zenity from using potentially mislabeled
> > files (XO)...
> >
> > SELinux is preventing zenity (snmpd_t) "name_connect" to
<Unknown>
> > <xserver_port_t>...
> >
> > I've looked at the ouput of
> >
> > # ps -ef | grep snmptrapd
> >
> > and it is identical in both cases so I don't understand why one
> > works and the other doesn't. I tried
> >
> > # cat /var/log/messages | audit2allow -m local
>
> The avc denial gets logged to .:
>
> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> | semodule -i mysnmp.pp
This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.
Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.
I have a few questions if you have the time to answer them.
I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
which I found quite useful but they are way out of date. Is there
anything comparable that is current?
I recently wrote a bit about the policy structure in Fedora 12 , that also applies to 11
and to some degree el5.
its here:
http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_Fe...
its not detailed though.
My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?
the .te , .fc and .if files make a complete source policy module. yes. A binary
representation of this (.pp) is what gets loaded "into the kernel"
This is done via the checkmodule and semodule_package commands. We usually use the
installed /usr/share/selinux/devel/Makefile to do this (requires selinux-policy-devel on
el5)
I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
I think that is old (el4/fc4/5?)
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?
.te files is source policy. It should not get installed. The only source policy file that
can get installed is the .if source policy file. This file is kind of like a header file.
It has shared policy that can be used by other modules to interact with that modules'
type.
Is there a way to "see" what a .pp file is doing? A
disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.
The is not pp disassembler but the sesearch command can be used to query the installed
policy. (part of setools)
Thanks,
Steve
> >
> > but that just produced a file that said:
> >
> > module local 1.0;
> >
> > and nothing else.
> >
> > I'm running RHEL5.4 with SELinux in enforcing mode.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Steve
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-selinux-list