What to do if a package needs a modified SELinux policy?
Daniel J Walsh
dwalsh at redhat.com
Tue May 31 14:49:46 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/30/2011 04:52 AM, Kurt Seifried wrote:
> I'm experimenting with a package that needs to have rsyslog write to a
> named fifo pipe (so log data can be handed off from rsyslog to an
> external program). As I see it the options are:
>
> 1) apologize to the user and tell them to disable SELinux (no thanks)
> 2) get Fedora SELinux policy to add an exception (best case scenario I think)
> 3) tell the user how to manually modify policy and update it (which
> might then break the next SELinux policy gets updated/etc.).
>
> Is there any official process/advice for this? Thanks in advance.
>
> -Kurt
I would just request the policy to be updated to allow this.
Which policy version/OS are you dealing with?
It should be a mere matter of labeling the fifo_file with the
appropriate label to allow syslog to write. The real question is who is
on the other end of the fifo file listing for syslog messages?
We probably would need to write policy for this app.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3lAAoACgkQrlYvE4MpobOPeACgwpcmM8ITastd4pUFq0K0dcHi
x2AAmgKjHX7smj2U0ZbIaB7PWiTsxcam
=EiNE
-----END PGP SIGNATURE-----
More information about the devel
mailing list