New to this list, and new to SELinux.
Dominick Grift
dominick.grift at gmail.com
Fri Jan 18 07:53:45 UTC 2013
On Thu, 2013-01-17 at 18:11 -0500, Jean-David Beyer wrote:
> I have been running Red Hat Enterprise Linux since 2004, starting with
> RHEL 3. Later I upgraded to RHEL 5. When I needed a new computer, I got
> RHEL 6 to run on it.
>
> RHEL 6 runs with SELinux turned on by default and it is presenting me
> with oneproblem, but my /var/log/messages file indicates I have _a lot_
> of others.
>
> Now according to Red Hat's documentation, I should report these as bugs,
> but that seems a bit extreme if it is just a misconfiguration problem.
>
> > Missing Type Enforcement rules are usually caused by bugs in SELinux
> > policy, and should be reported in Red Hat Bugzilla. For Red Hat
> > Enterprise Linux, create bugs against the Red Hat Enterprise Linux
> > product, and select the selinux-policy component. Include the output
> > of the audit2allow -w -a and audit2allow -a commands in such bug
> > reports.
>
> Should I really do that? And if so, just how? How do I specify the
> problem in a way to be useful?
>
> One problem is that I have a shell script, run by cron that sends an
> email with mailx to me (on the same machine). That means it is run by
> root. And the mail fails when cron runs it. It is adding an attachment
> and SELinux says it is denied. Now when I run it myself, but logged in
> as root, the e-mail works. I do not specifically want to solve that
> problem here, but I do need to now how to change the system policy file,
> wherever it is, so I do not need to continually make little ones, say by
> running stuff like this:
>
> # grep boinc_client /var/log/audit/audit.log | audit2allow -M myboinc
> # semodule -i myboinc.pp
>
> I also wish to make the change, if they are really required, permanent.
>
> Any advice?
You could fork the rhel selinux-policy package (you can download the
selinux-policy source rpm. use rpmbuild to prep it. then modify it to
your requirements and repackage it. Then distribute the repackages rpms
It is pretty easy to do with a little knowledge about rpm,
selinux-policy and a vcs
I would, however, probably just create a new domain, make that a
cron_system_entry and write policy to allow that domain what it needs
rather than extending the generic cron system domain
But replacing the existing cron module is probably also an option.
semodule allows one to -r (remove) and -d (disable) optional modules
this enables one to replace them with modified versions
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list