FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-05-2009, 04:18 AM
Deependra Singh Shekhawat
 
Default Query regarding booleans

Greetings,
*
I have written*a selinux policy in fedora which actually have a boolean declared within the policy and when the boolean is on some allow rules are written which actually come into picture. But if the boolean is off the SELinux denial message doesn't suggest the user to actually switch on the boolean. I have seen in the normal case with the default booleans this is not the case and the denial actually suggest the user to switch on the boolean. I believe I need to do something more then what I am currently doing that's why I am asking here.

*
Can you suggest me anything regarding this ?
*
Warm Regards
Deependra Singh Shekhawat
--
Type bits /keyID****Date****** User ID
pub**1024D/483B234C 2007/06/29 Deependra Singh Shekhawat (Fedora Project) <jeevanullas@gmail.com>

**** Key fingerprint = ED45 62EA A4D7 53FB 44C7**774A D55B F3F0 483B 234C
*
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-05-2009, 04:56 PM
Stephen Smalley
 
Default Query regarding booleans

On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>
> Greetings,
>
>
>
> I have written a selinux policy in fedora which actually have a
> boolean declared within the policy and when the boolean is on some
> allow rules are written which actually come into picture. But if the
> boolean is off the SELinux denial message doesn't suggest the user to
> actually switch on the boolean. I have seen in the normal case with
> the default booleans this is not the case and the denial actually
> suggest the user to switch on the boolean. I believe I need to do
> something more then what I am currently doing that's why I am asking
> here.
>
>
>
> Can you suggest me anything regarding this ?

If you feed the denial message to audit2why, does it suggest changing
the boolean?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:24 PM
Daniel J Walsh
 
Default Query regarding booleans

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Deependra Singh Shekhawat wrote:
> Greetings,
>
> I have written a selinux policy in fedora which actually have a boolean
> declared within the policy and when the boolean is on some allow rules are
> written which actually come into picture. But if the boolean is off the
> SELinux denial message doesn't suggest the user to actually switch on the
> boolean. I have seen in the normal case with the default booleans this is
> not the case and the denial actually suggest the user to switch on the
> boolean. I believe I need to do something more then what I am currently
> doing that's why I am asking here.
>
> Can you suggest me anything regarding this ?
>
> Warm Regards
> Deependra Singh Shekhawat
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Are you talking about setroubleshoot not suggesting the correct solution?

What is setroubleshoot suggesting? Also as Steven Says if you run
audit2allow -w -a

on the avc's does it suggest the boolean?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRjg8ACgkQrlYvE4MpobMZIgCggAW+jaapke pwB0mawtKevh6j
2UEAniwTDSHzegmoguH60B5j+yC6ng5I
=30zQ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-11-2009, 05:03 AM
Deependra Singh Shekhawat
 
Default Query regarding booleans

On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:


On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:

>

> Greetings,

>

>

>

> I have written a selinux policy in fedora which actually have a

> boolean declared within the policy and when the boolean is on some

> allow rules are written which actually come into picture. But if the

> boolean is off the SELinux denial message doesn't suggest the user to

> actually switch on the boolean. I have seen in the normal case with

> the default booleans this is not the case and the denial actually

> suggest the user to switch on the boolean. I believe I need to do

> something more then what I am currently doing that's why I am asking

> here.

>

>

>

> Can you suggest me anything regarding this ?



If you feed the denial message to audit2why, does it suggest changing

the boolean?



--

Stephen Smalley

National Security Agency





Sorry for a late reply.
Yes it says to look for boolean settings but it doesn't mention any boolean name as such.

Thanks
--
Type bits /keyID * *Date * * * User ID

pub *1024D/483B234C 2007/06/29 Deependra Singh Shekhawat (Fedora Project) <jeevanullas@gmail.com>

* * Key fingerprint = ED45 62EA A4D7 53FB 44C7 *774A D55B F3F0 483B 234C


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-11-2009, 09:56 PM
Daniel J Walsh
 
Default Query regarding booleans

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Deependra Singh Shekhawat wrote:
> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>> Greetings,
>>>
>>>
>>>
>>> I have written a selinux policy in fedora which actually have a
>>> boolean declared within the policy and when the boolean is on some
>>> allow rules are written which actually come into picture. But if the
>>> boolean is off the SELinux denial message doesn't suggest the user to
>>> actually switch on the boolean. I have seen in the normal case with
>>> the default booleans this is not the case and the denial actually
>>> suggest the user to switch on the boolean. I believe I need to do
>>> something more then what I am currently doing that's why I am asking
>>> here.
>>>
>>>
>>>
>>> Can you suggest me anything regarding this ?
>> If you feed the denial message to audit2why, does it suggest changing
>> the boolean?
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
> Sorry for a late reply.
>
> Yes it says to look for boolean settings but it doesn't mention any boolean
> name as such.
>
> Thanks
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RHEL5?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmTV5UACgkQrlYvE4MpobPXbwCeIBIJN389Z/FdK4oPf0eOKnNQ
b1UAn0wJWamINs52ndEewDswaw6ZCr7x
=4gsM
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-12-2009, 02:29 AM
Deependra Singh Shekhawat
 
Default Query regarding booleans

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry,

My gmail is not configured properly and by default it is sending reply
to you and not the list.

Yes I am using RHEL 5 update 2.

Thanks

Daniel J Walsh wrote:
> Deependra Singh Shekhawat wrote:
>> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>>> Greetings,
>>>>
>>>>
>>>>
>>>> I have written a selinux policy in fedora which actually have a
>>>> boolean declared within the policy and when the boolean is on some
>>>> allow rules are written which actually come into picture. But if the
>>>> boolean is off the SELinux denial message doesn't suggest the user to
>>>> actually switch on the boolean. I have seen in the normal case with
>>>> the default booleans this is not the case and the denial actually
>>>> suggest the user to switch on the boolean. I believe I need to do
>>>> something more then what I am currently doing that's why I am asking
>>>> here.
>>>>
>>>>
>>>>
>>>> Can you suggest me anything regarding this ?
>>> If you feed the denial message to audit2why, does it suggest changing
>>> the boolean?
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>> Sorry for a late reply.
>
>> Yes it says to look for boolean settings but it doesn't mention any boolean
>> name as such.
>
>> Thanks
>
>
>> ------------------------------------------------------------------------
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> RHEL5?

- --
RHCE/RHCSS Certificate number: 804006843818597
Type: pub
bits/keyID: 1024D/483B234C
Date: 2007/06/29
Key Server: pgp.mit.edu
User ID: Deependra Singh Shekhawat (Fedora Project)
<jeevanullas@gmail.com> <deepsa@fedoraproject.org>
Key fingerprint: ED45 62EA A4D7 53FB 44C7 774A D55B F3F0 483B 234C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmTl5MACgkQ1Vvz8Eg7I0z3WgCgzneMi5q9a5 w7e840WQneQSfV
GYsAn32wQMu1YZ/jtFnWa/4BgRH6x/q5
=Rptm
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-12-2009, 12:53 PM
Daniel J Walsh
 
Default Query regarding booleans

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Deependra Singh Shekhawat wrote:
> Sorry,
>
> My gmail is not configured properly and by default it is sending reply
> to you and not the list.
>
> Yes I am using RHEL 5 update 2.
>
> Thanks
>
> Daniel J Walsh wrote:
>> Deependra Singh Shekhawat wrote:
>>> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>>>> Greetings,
>>>>>
>>>>>
>>>>>
>>>>> I have written a selinux policy in fedora which actually have a
>>>>> boolean declared within the policy and when the boolean is on some
>>>>> allow rules are written which actually come into picture. But if the
>>>>> boolean is off the SELinux denial message doesn't suggest the user to
>>>>> actually switch on the boolean. I have seen in the normal case with
>>>>> the default booleans this is not the case and the denial actually
>>>>> suggest the user to switch on the boolean. I believe I need to do
>>>>> something more then what I am currently doing that's why I am asking
>>>>> here.
>>>>>
>>>>>
>>>>>
>>>>> Can you suggest me anything regarding this ?
>>>> If you feed the denial message to audit2why, does it suggest changing
>>>> the boolean?
>>>>
>>>> --
>>>> Stephen Smalley
>>>> National Security Agency
>>>>
>>>>
>>> Sorry for a late reply.
>>> Yes it says to look for boolean settings but it doesn't mention any boolean
>>> name as such.
>>> Thanks
>
>>> ------------------------------------------------------------------------
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> RHEL5?
>

- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

RHEL5 audit2allow/audit2why was not as smart as F9/F10 where it can find
a boolean that can satisfy an avc message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmUKccACgkQrlYvE4MpobNETQCcDZH5J33qfZ QVqIqZNVKMA+Y3
RzkAoJKdQEKjEAdPZI5AqdZZvkJc17yv
=7rFH
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org