Generating policies for Nagios on Fedora9 - difficulties
Dirk H. Schulz
dirk.schulz at kinzesberg.de
Fri Nov 7 08:06:41 UTC 2008
Paul,
--On 6. November 2008 12:09:45 +0000 Paul Howarth <paul at city-fan.org> wrote:
- snip -
>
> The SELinux denials that you're hitting now are probably dontaudit-ed in
> pollcy. You can turn off the dontaudit rules using:
>
># semodule -BD
>
> and turn them back on using:
>
># semodule -B
Thanks for helping, that was my problem.
>
> Be careful with policy generated from audit logs with dontaudit rules
> turned off to ensure that what you're allowing is actually necessary and
> not just unrelated noise.
I have tried to use only those denials that seemed related to my problem
(that means they contained "mailq" and "postqueue"). No I have got this
working.
There is another two newbie questions if you allow:
- loading a module with semodule -i - is this permanent or temporary
regarding reboots? I did not find any hint in web docs and man pages on
that.
- since I have done this very careful step by step I now have lots of .te
and .pp files. Can I simply do ca "cat *.te > all.te" and recompile it or
is there a tool that generates a syntactically more compact .te file?
Dirk
More information about the selinux
mailing list