FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

LinkBack Thread Tools
Old 12-08-2009, 05:57 PM
Dominick Grift
Default Combining modules?

On Tue, Dec 08, 2009 at 10:41:51AM -0800, John Oliver wrote:
> I don't know if there's a better way to do this, but I'm trying to get
> nagios working with selinux (CentOS 5.4 Final) I try to run it, get an
> error, create a policy module, install it, and return to step one. It's
> getting pretty ridiculous:

Yes common issue with developing policy. What developers usually do it develop policy in permissive mode or in fedora11 and up using permissive domains. These methods allow you to accumulate all or atleast most avc denials in one runs. This is because permissive mode/domains allow the access but log "would be denials". So the process usually works but youll still get to see what SELinux would have denied.

But apart from that. You can also develop policy in enforcing mode. Although since selinux actually denies every permission the process cannot proceed. So youll write a rule, reload modified policy, appends the next rule, reload and so forth an so forth.

An easier way to do that is to just modify your source policy (the .te, .if and .fc files), rebuild the binary policy and install it again. That will overwrite the installed policy.

echo "policy_module(example, 1.0.0)" > example.te;
make -f /usr/share/selinux/devel/Makefile example.pp
sudo semodule -i example.pp
( .. later you figure out more policy is required .. )
( .. appending some stuff to existing source policy example.te file .. )
echo "type example_t;" >> example.te;
echo "type example_exec_t;" >> example.te;
echo "init_daemon_domain(example_t, example_exec_t)" >> example.te;
( .. building a binary module again this time from modified source policy example.te file .. )
make -f /usr/share/selinux/devel/Makefile example.pp
( .. installing modified example.pp binary module *again*, whichif policy version is the same, overwrites the existing installed example.pp)

That way you will end up with a single module with all your mods for a particular domain.

> [joliver@mda-services4 ~]$ sudo /usr/sbin/semodule -l | grep nagios
> nagios 1.1.0
> nagios10 1.0
> nagios2 1.0
> nagios3 1.0
> nagios4 1.0
> nagios5 1.0
> nagios6 1.0
> nagios7 1.0
> nagios8 1.0
> nagios9 1.0
> When I finally discover all of the problems... is there a way to dump
> all of those modules into one? Both for my sanity, and so that I can
> maybe submit that module to CentOS so the next poor SOB who tries to do
> this doesn't have to reinvent the wheel?
> Or is there another, better, way to find all of the various rules that
> are needed in one fell swoop?
> --
> ************************************************** *********************
> * John Oliver http://www.john-oliver.net/ *
> * *
> ************************************************** *********************
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
fedora-selinux-list mailing list

Thread Tools

All times are GMT. The time now is 01:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org