question on new filecontext type and documentation issues
Sebastian Hennebrueder wrote:
> thank you for the nice solution you provided with Selinux.
> I have two issues:
> I use Centos 5.2 which clones Redhat Enterprise Linux. I use the
> targeted policy.
> Postfix and dovecot shares the certicates. I solved the problem in a
> way that I copied the certificates and set the corresponding context.
> I don't like this approach. Alternatively I can use the normal
> audit2allow approach to allow postfix access to dovecot or vice versa
> but I would like not to give them this right.
> The best solution is to create a new context which can be accessed by
> both domains.
> With the new module approach, how do I start to write a new context
> type? It is probably simple but I don't find the way to start by reading
> the documentation on the net.
> I am actually a Java developer running my own Linux server, so I am far
> away from being a Linux expert.
> My feeling is that the documentation is really hard to follow.
> It was hard to find out how to interpret the audit.log. The only
> location to explain the different attributes seams to be
> But still some documented log entries would be fine, e.g. what does a
> socket connect require, what does a search for the config file in /etc
> require, ...
> I found the tip to use sealert -a on the
> I found the statement do 'cat audit.log | audit2allow ...' but don't
> trust the result somewhere. But well, if I shouldn't trust, I would
> appreciate to analyse as well.
> Your wiki does note
> having understood the basics
> The next page told me about sesearch, which is a very important tool IMHO.
> I still have no idea how to find information on the different macros
> which where noted somewhere.
> From my beginner point of view, I noted my steps and resources on my
> blog at http://www.laliluna.de/blog/
> To summarize, I would appreciate a somehow more centralized complete
> documentation, much more oriented to practical use cases.
> Best Regards
> fedora-selinux-list mailing list
Sebastian, I answered in my blog:
fedora-selinux-list mailing list