Generating policies for Nagios on Fedora9 - difficulties
Paul Howarth
paul at city-fan.org
Fri Nov 7 09:02:10 UTC 2008
On Fri, 07 Nov 2008 09:06:41 +0100
"Dirk H. Schulz" <dirk.schulz at kinzesberg.de> wrote:
> Paul,
>
> --On 6. November 2008 12:09:45 +0000 Paul Howarth <paul at city-fan.org>
> wrote:
>
> - snip -
>
> >
> > The SELinux denials that you're hitting now are probably
> > dontaudit-ed in pollcy. You can turn off the dontaudit rules using:
> >
> ># semodule -BD
> >
> > and turn them back on using:
> >
> ># semodule -B
>
> Thanks for helping, that was my problem.
>
> >
> > Be careful with policy generated from audit logs with dontaudit
> > rules turned off to ensure that what you're allowing is actually
> > necessary and not just unrelated noise.
>
> I have tried to use only those denials that seemed related to my
> problem (that means they contained "mailq" and "postqueue"). No I
> have got this working.
>
> There is another two newbie questions if you allow:
> - loading a module with semodule -i - is this permanent or temporary
> regarding reboots? I did not find any hint in web docs and man pages
> on that.
> - since I have done this very careful step by step I now have lots
> of .te and .pp files. Can I simply do ca "cat *.te > all.te" and
> recompile it or is there a tool that generates a syntactically more
> compact .te file?
Not sure; all I do in such cases is merge together the "require"
clauses at the top and then all of the allow rules/interface calls just
follow on all together as if it was just one regular file.
Paul.
More information about the selinux
mailing list