Generating policies for Nagios on Fedora9 - difficulties
Daniel J Walsh
dwalsh at redhat.com
Fri Nov 7 14:56:12 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dirk H. Schulz wrote:
> Paul,
>
> --On 6. November 2008 12:09:45 +0000 Paul Howarth <paul at city-fan.org>
> wrote:
>
> - snip -
>
>>
>> The SELinux denials that you're hitting now are probably dontaudit-ed in
>> pollcy. You can turn off the dontaudit rules using:
>>
>> # semodule -BD
>>
>> and turn them back on using:
>>
>> # semodule -B
>
> Thanks for helping, that was my problem.
>
>>
>> Be careful with policy generated from audit logs with dontaudit rules
>> turned off to ensure that what you're allowing is actually necessary and
>> not just unrelated noise.
>
> I have tried to use only those denials that seemed related to my problem
> (that means they contained "mailq" and "postqueue"). No I have got this
> working.
>
> There is another two newbie questions if you allow:
> - loading a module with semodule -i - is this permanent or temporary
> regarding reboots? I did not find any hint in web docs and man pages on
> that.
Yes they are permanent.
> - since I have done this very careful step by step I now have lots of
> .te and .pp files. Can I simply do ca "cat *.te > all.te" and recompile
> it or is there a tool that generates a syntactically more compact .te file?
>
Well not exactly, you really can only have one policy_modules() line at
the top, So you can edit your all.te and it would work.
> Dirk
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkUVwwACgkQrlYvE4MpobOTygCePPBY34l7iG4DeyDnqpQTORvi
LJEAnAgLxZAFoznhvNvs0UqtFZERybKn
=5C2L
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list