-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/17/2011 09:31 PM, Erinn Looney-Triggs wrote:
Ah, sorry I should have been clearer this is on a RHEL 5 setup, so
as
far as I know this all has to be generated by hand, unless it is
possible for me to pull the module from fedora, then of course I would
have to make my ruby and passenger install conform to what is expected.
Yeah I know this is not a policy per se, and this is on of my rubs with
SELinux, it takes a lot of research and understanding to get to the
point of being able to generate policy that anyone can have confidence
in. It was a bit simpler albeit looser with DAC, and sadly we just end
up hoping that someone who knows what they are doing will make a policy
for us, or sit down and study SELinux for a month or two and take a
whack at it ourselves. Any good book recommendations? I have read
through SELinux by Example as that seems to be the most recommended, but
there doesn't seem to be much published in the last 4 years or so.
Before you there were several others with issues identical to yours. I
offered my help to both but after a while they gave up and left me with
an unfinished policy.
I do not use ruby on rails nor do i use passenger, and i have no
experience with either one of those. To create a policy for some
application one needs to be able to test and configure it properly.
Without that help i am unable to write a good policy.
This is what i have so far:
http://fedorapeople.org/gitweb?p=domg472/public_git/ruby.git;a=summary
mgrepl is going to use what i have to create a better policy for Fedora.
However, with that we would still need to port it to el5, and we should
probably also make it compatible with the non-packaged version available
on ruby's website (it has files in different paths etc)
all-in-all a lot of work if you ask me.
I don't like what audit2allow has done here, it isn't
audit2allow's,
fault it is just a matter of the huge number of requests that passenger
is putting through the system, why for instance does it need access to
syslogd_t, or crond_t, or snmpd_t? Trying to deduce from where these
access calls are coming and if/why they are needed is difficult for me.
Anyway, I am sure Fedora will get there, but this little module may have
to suffice for my needs (back in the olden days) on RHEL 5.
Yes its not perfect but its something.
-Erinn
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk00qSoACgkQMlxVo39jgT9wFwCdGR4v1aJaox7/y20NJxaSmrs+
Ff0AnjrRnXgepBAV4XwBlVjaz2u/4Dox
=n2Ow
-----END PGP SIGNATURE-----