Revert to default settings after seedit relabel, was: Re: Hello world and first question concerning Munin

Gabriele Pohl gp at dipohl.com
Sat Oct 4 10:29:07 UTC 2008


Hi Stephen and all,

I searched for a possibility to see
what rules are defined in the Selinux 
module for munin.

After reading a lot of man pages of all the Selinux tools 
that I found on my system, without a result for this issue,
I took a look to the selinux knowledge base here:
http://fedoraproject.org/wiki/SELinux

and saw "seedit" selinux policy editor (and accompanying simplified
policy language)

http://seedit.sourceforge.net/

"You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4,
Cent OS5.  It will not affect existing SELinux policies so it is
possible to revert to the default settings easily."

Hmmm, at the first call it asks for initialization.
I agreed. It needs a reboot and after that, all 
policy rules were replaced by *simple* ones.
And mode is now *permissive* not longer *targeted*.

I find no possibility to load a module for edit.
(as e.g. munin targeted module). So this experiment
was useless for my purpose.

After switching the mode *targeted* again
(but no reboot since now) I see none of the
old modules. All contexts are *unconfined*.

How can I get the original state back?

Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley:
> On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote:
> > I use Munin (http://munin.projects.linpro.no/)
> > Now my first question:
> > 
> > Plugin smart_ is written in Python.
> > It calls "smartctl" from the smartmontools package
> > (http://smartmontools.sourceforge.net/) to read the
> > values of the SMART-Attributes from the harddisks.
> > 
> > #============= munin_t ==============
> > allow munin_t fixed_disk_device_t:blk_file getattr;
> > -------------------------------
> > 
> Ideally the munin_t domain itself shouldn't need any access to the raw
> device - it should transition into the existing domain for smartd
> (fsdaemon_t) upon executing the smartctl program. 

How can this be done?

> I don't know offhand
> if the existing munin policy module has such a domain transition rule.

I would like to look at the rules definded in
the policy module. How can I do this?

> However, mere getattr access (i.e. the ability to stat the file) isn't a
> big deal, so you could likely grant that one w/o difficulty.  What would
> be more problematic is allowing read or write access to the raw device.

ok, thanks! I'll add this rule as soon
as I have my original states restored on the system.

Kind regards,

Gabriele




More information about the fedora-selinux-list mailing list