Greetings,
*
I have written*a selinux policy in fedora which actually have a boolean declared within the policy and when the boolean is on some allow rules are written which actually come into picture. But if the boolean is off the SELinux denial message doesn't suggest the user to actually switch on the boolean. I have seen in the normal case with the default booleans this is not the case and the denial actually suggest the user to switch on the boolean. I believe I need to do something more then what I am currently doing that's why I am asking here.
*
Can you suggest me anything regarding this ?
*
Warm Regards
Deependra Singh Shekhawat
--
Type bits /keyID****Date****** User ID
pub**1024D/483B234C 2007/06/29 Deependra Singh Shekhawat (Fedora Project) <jeevanullas@gmail.com>
On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>
> Greetings,
>
>
>
> I have written a selinux policy in fedora which actually have a
> boolean declared within the policy and when the boolean is on some
> allow rules are written which actually come into picture. But if the
> boolean is off the SELinux denial message doesn't suggest the user to
> actually switch on the boolean. I have seen in the normal case with
> the default booleans this is not the case and the denial actually
> suggest the user to switch on the boolean. I believe I need to do
> something more then what I am currently doing that's why I am asking
> here.
>
>
>
> Can you suggest me anything regarding this ?
If you feed the denial message to audit2why, does it suggest changing
the boolean?
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-10-2009, 01:24 PM
Daniel J Walsh
Query regarding booleans
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Deependra Singh Shekhawat wrote:
> Greetings,
>
> I have written a selinux policy in fedora which actually have a boolean
> declared within the policy and when the boolean is on some allow rules are
> written which actually come into picture. But if the boolean is off the
> SELinux denial message doesn't suggest the user to actually switch on the
> boolean. I have seen in the normal case with the default booleans this is
> not the case and the denial actually suggest the user to switch on the
> boolean. I believe I need to do something more then what I am currently
> doing that's why I am asking here.
>
> Can you suggest me anything regarding this ?
>
> Warm Regards
> Deependra Singh Shekhawat
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Are you talking about setroubleshoot not suggesting the correct solution?
What is setroubleshoot suggesting? Also as Steven Says if you run
audit2allow -w -a
on the avc's does it suggest the boolean?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-11-2009, 09:56 PM
Daniel J Walsh
Query regarding booleans
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Deependra Singh Shekhawat wrote:
> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>> Greetings,
>>>
>>>
>>>
>>> I have written a selinux policy in fedora which actually have a
>>> boolean declared within the policy and when the boolean is on some
>>> allow rules are written which actually come into picture. But if the
>>> boolean is off the SELinux denial message doesn't suggest the user to
>>> actually switch on the boolean. I have seen in the normal case with
>>> the default booleans this is not the case and the denial actually
>>> suggest the user to switch on the boolean. I believe I need to do
>>> something more then what I am currently doing that's why I am asking
>>> here.
>>>
>>>
>>>
>>> Can you suggest me anything regarding this ?
>> If you feed the denial message to audit2why, does it suggest changing
>> the boolean?
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
> Sorry for a late reply.
>
> Yes it says to look for boolean settings but it doesn't mention any boolean
> name as such.
>
> Thanks
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RHEL5?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-12-2009, 02:29 AM
Deependra Singh Shekhawat
Query regarding booleans
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry,
My gmail is not configured properly and by default it is sending reply
to you and not the list.
Yes I am using RHEL 5 update 2.
Thanks
Daniel J Walsh wrote:
> Deependra Singh Shekhawat wrote:
>> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>>> Greetings,
>>>>
>>>>
>>>>
>>>> I have written a selinux policy in fedora which actually have a
>>>> boolean declared within the policy and when the boolean is on some
>>>> allow rules are written which actually come into picture. But if the
>>>> boolean is off the SELinux denial message doesn't suggest the user to
>>>> actually switch on the boolean. I have seen in the normal case with
>>>> the default booleans this is not the case and the denial actually
>>>> suggest the user to switch on the boolean. I believe I need to do
>>>> something more then what I am currently doing that's why I am asking
>>>> here.
>>>>
>>>>
>>>>
>>>> Can you suggest me anything regarding this ?
>>> If you feed the denial message to audit2why, does it suggest changing
>>> the boolean?
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>> Sorry for a late reply.
>
>> Yes it says to look for boolean settings but it doesn't mention any boolean
>> name as such.
>
>> Thanks
>
>
>> ------------------------------------------------------------------------
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> RHEL5?
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
02-12-2009, 12:53 PM
Daniel J Walsh
Query regarding booleans
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Deependra Singh Shekhawat wrote:
> Sorry,
>
> My gmail is not configured properly and by default it is sending reply
> to you and not the list.
>
> Yes I am using RHEL 5 update 2.
>
> Thanks
>
> Daniel J Walsh wrote:
>> Deependra Singh Shekhawat wrote:
>>> On Thu, Feb 5, 2009 at 11:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On Wed, 2009-02-04 at 21:18 -0800, Deependra Singh Shekhawat wrote:
>>>>> Greetings,
>>>>>
>>>>>
>>>>>
>>>>> I have written a selinux policy in fedora which actually have a
>>>>> boolean declared within the policy and when the boolean is on some
>>>>> allow rules are written which actually come into picture. But if the
>>>>> boolean is off the SELinux denial message doesn't suggest the user to
>>>>> actually switch on the boolean. I have seen in the normal case with
>>>>> the default booleans this is not the case and the denial actually
>>>>> suggest the user to switch on the boolean. I believe I need to do
>>>>> something more then what I am currently doing that's why I am asking
>>>>> here.
>>>>>
>>>>>
>>>>>
>>>>> Can you suggest me anything regarding this ?
>>>> If you feed the denial message to audit2why, does it suggest changing
>>>> the boolean?
>>>>
>>>> --
>>>> Stephen Smalley
>>>> National Security Agency
>>>>
>>>>
>>> Sorry for a late reply.
>>> Yes it says to look for boolean settings but it doesn't mention any boolean
>>> name as such.
>>> Thanks
>
>>> ------------------------------------------------------------------------
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> RHEL5?
>
- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RHEL5 audit2allow/audit2why was not as smart as F9/F10 where it can find
a boolean that can satisfy an avc message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
Query regarding booleans
