FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-14-2008, 09:15 PM
Sebastian Hennebrueder
 
Default question on new filecontext type and documentation issues

Hello,
thank you for the nice solution you provided with Selinux.

I have two issues:

1)
I use Centos 5.2 which clones Redhat Enterprise Linux. I use the
targeted policy.


Postfix and dovecot shares the certicates. I solved the problem in a
way that I copied the certificates and set the corresponding context.
I don't like this approach. Alternatively I can use the normal
audit2allow approach to allow postfix access to dovecot or vice versa
but I would like not to give them this right.
The best solution is to create a new context which can be accessed by
both domains.
With the new module approach, how do I start to write a new context
type? It is probably simple but I don't find the way to start by reading
the documentation on the net.


2)
I am actually a Java developer running my own Linux server, so I am far
away from being a Linux expert.

My feeling is that the documentation is really hard to follow.

It was hard to find out how to interpret the audit.log. The only
location to explain the different attributes seams to be
http://seedit.sourceforge.net/doc/access_vectors/
<javascript:void(0);/*1221395834258*/>
But still some documented log entries would be fine, e.g. what does a
socket connect require, what does a search for the config file in /etc
require, ...


I found the tip to use sealert -a on the
http://wiki.centos.org/HowTos/SELinux <javascript:void(0);/*1221395813896*/>


I found the statement do 'cat audit.log | audit2allow ...' but don't
trust the result somewhere. But well, if I shouldn't trust, I would
appreciate to analyse as well.


Your wiki does note
http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
<javascript:void(0);/*1221395820244*/> which is a good resource after
having understood the basics


The next page told me about sesearch, which is a very important tool IMHO.
http://www.durchmesser.ch/wiki/SELinux
<javascript:void(0);/*1221395840703*/>


I still have no idea how to find information on the different macros
which where noted somewhere.


From my beginner point of view, I noted my steps and resources on my
blog at http://www.laliluna.de/blog/


To summarize, I would appreciate a somehow more centralized complete
documentation, much more oriented to practical use cases.


Best Regards

Sebastian


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-15-2008, 01:43 PM
Daniel J Walsh
 
Default question on new filecontext type and documentation issues

Sebastian Hennebrueder wrote:
> Hello,
> thank you for the nice solution you provided with Selinux.
>
> I have two issues:
>
> 1)
> I use Centos 5.2 which clones Redhat Enterprise Linux. I use the
> targeted policy.
>
> Postfix and dovecot shares the certicates. I solved the problem in a
> way that I copied the certificates and set the corresponding context.
> I don't like this approach. Alternatively I can use the normal
> audit2allow approach to allow postfix access to dovecot or vice versa
> but I would like not to give them this right.
> The best solution is to create a new context which can be accessed by
> both domains.
> With the new module approach, how do I start to write a new context
> type? It is probably simple but I don't find the way to start by reading
> the documentation on the net.
>
> 2)
> I am actually a Java developer running my own Linux server, so I am far
> away from being a Linux expert.
> My feeling is that the documentation is really hard to follow.
>
> It was hard to find out how to interpret the audit.log. The only
> location to explain the different attributes seams to be
>> http://seedit.sourceforge.net/doc/access_vectors/
>> <javascript:void(0);/*1221395834258*/>
> But still some documented log entries would be fine, e.g. what does a
> socket connect require, what does a search for the config file in /etc
> require, ...
>
> I found the tip to use sealert -a on the
> http://wiki.centos.org/HowTos/SELinux
> <javascript:void(0);/*1221395813896*/>
>
> I found the statement do 'cat audit.log | audit2allow ...' but don't
> trust the result somewhere. But well, if I shouldn't trust, I would
> appreciate to analyse as well.
>
> Your wiki does note
> http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
> <javascript:void(0);/*1221395820244*/> which is a good resource after
> having understood the basics
>
> The next page told me about sesearch, which is a very important tool IMHO.
> http://www.durchmesser.ch/wiki/SELinux
> <javascript:void(0);/*1221395840703*/>
>
> I still have no idea how to find information on the different macros
> which where noted somewhere.
>
> From my beginner point of view, I noted my steps and resources on my
> blog at http://www.laliluna.de/blog/
>
> To summarize, I would appreciate a somehow more centralized complete
> documentation, much more oriented to practical use cases.
>
> Best Regards
>
> Sebastian
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sebastian, I answered in my blog:

http://danwalsh.livejournal.com/24147.html

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org