SELinux Coloring book?

Daniel J Walsh dwalsh at redhat.com
Thu Nov 14 17:41:39 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/14/2013 10:45 AM, Timothy Murphy wrote:
> Daniel J Walsh wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 11/14/2013 09:24 AM, Timothy Murphy wrote:
>>> Miroslav Grepl wrote:
>>> 
>>>>> New article on opensource.com describing SELinux enforcement in
>>>>> simple terms. Check it out.
>>>>> 
>>>>> http://opensource.com/business/13/11/selinux-policy-guide
>>> 
>>>> I believe it is a great introduction to SELinux.
>>> 
>>> I liked this.
>>> 
>>> I also liked the video <http://www.youtube.com/watch?v=MxjenQ31b70>
>>> with accompanying slides at
>>> 
> <http://people.redhat.com/tcameron/summit2010/selinux/SELinuxMereMortals.pdf>.
>>>
>>>
> 
I thought I'd try to move from SELinux permissive mode following the
>>> advice in this video and slides.
>>> 
>>> The main problem I met was following sealert advice of the form 
>>> ----------------------------- If you want to allow perl to have search 
>>> access on the tim directory Then you need to change the label on 
>>> /home/tim Do # semanage fcontext -a -t FILE_TYPE '/home/tim' where 
>>> FILE_TYPE is one of the following: etc_t, proc_t, sysfs_t,
> ...
>>> devpts_t, var_t, user_home_dir_t, cluster_conf_t, var_t, var_t. 
>>> -----------------------------
>>> 
>> 
>> Yes those ones are tough, basically the system is trying to expand the 
>> list of file types that the application is allowed to write.  In this
>> case it expanded a little too large.
>> 
>> What was the AVC that caused this?
> 
> I gave the command [root at grover tim]# sealert -a /var/log/audit/audit.log 
> which was mentioned in the video I cited, and the above was one of many
> suggestions that were made.
> 
> The response started with 11 AVC's, which all concerned the same file, this
> being a sample:
> 
> **** Invalid AVC allowed in current policy ***
> 
> type=AVC msg=audit(1330438567.88:108452): avc:  denied  { getattr } for 
> pid=2567 comm="config" path="/etc/dovecot/dovecot.conf" dev=sdb10 
> ino=3392618 scontext=unconfined_u:system_r:dovecot_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> found 11 alerts in /var/log/audit/audit.log
> 
> Then there was a much longer portion going over different files, giving
> terse advice of what to do in many cases, but also vague advice of the kind
> above in other cases.
> 
Looks like you had a mislabeled file in /etc.  Did it suggest restorecon as
its #1 option?

restorecon -R -v /etc/dovecot


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKFC1MACgkQrlYvE4MpobPv2wCgsdzQMkmpTn007vzS+S3jWDJL
3YYAoIcE1caLvg08ofkvzUg4x3VULovC
=im0Q
-----END PGP SIGNATURE-----

More information about the users mailing list