Combining modules?
Dominick Grift
domg472 at gmail.com
Tue Dec 8 18:57:10 UTC 2009
On Tue, Dec 08, 2009 at 10:41:51AM -0800, John Oliver wrote:
> I don't know if there's a better way to do this, but I'm trying to get
> nagios working with selinux (CentOS 5.4 Final) I try to run it, get an
> error, create a policy module, install it, and return to step one. It's
> getting pretty ridiculous:
Yes common issue with developing policy. What developers usually do it develop policy in permissive mode or in fedora11 and up using permissive domains. These methods allow you to accumulate all or atleast most avc denials in one runs. This is because permissive mode/domains allow the access but log "would be denials". So the process usually works but youll still get to see what SELinux would have denied.
But apart from that. You can also develop policy in enforcing mode. Although since selinux actually denies every permission the process cannot proceed. So youll write a rule, reload modified policy, appends the next rule, reload and so forth an so forth.
An easier way to do that is to just modify your source policy (the .te, .if and .fc files), rebuild the binary policy and install it again. That will overwrite the installed policy.
echo "policy_module(example, 1.0.0)" > example.te;
make -f /usr/share/selinux/devel/Makefile example.pp
sudo semodule -i example.pp
( .. later you figure out more policy is required .. )
( .. appending some stuff to existing source policy example.te file .. )
echo "type example_t;" >> example.te;
echo "type example_exec_t;" >> example.te;
echo "init_daemon_domain(example_t, example_exec_t)" >> example.te;
( .. building a binary module again this time from modified source policy example.te file .. )
make -f /usr/share/selinux/devel/Makefile example.pp
( .. installing modified example.pp binary module *again*, whichif policy version is the same, overwrites the existing installed example.pp)
That way you will end up with a single module with all your mods for a particular domain.
>
> [joliver at mda-services4 ~]$ sudo /usr/sbin/semodule -l | grep nagios
> nagios 1.1.0
> nagios10 1.0
> nagios2 1.0
> nagios3 1.0
> nagios4 1.0
> nagios5 1.0
> nagios6 1.0
> nagios7 1.0
> nagios8 1.0
> nagios9 1.0
>
> When I finally discover all of the problems... is there a way to dump
> all of those modules into one? Both for my sanity, and so that I can
> maybe submit that module to CentOS so the next poor SOB who tries to do
> this doesn't have to reinvent the wheel?
>
> Or is there another, better, way to find all of the various rules that
> are needed in one fell swoop?
>
> --
> ***********************************************************************
> * John Oliver http://www.john-oliver.net/ *
> * *
> ***********************************************************************
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/92d83bc8/attachment.sig>
More information about the fedora-selinux-list
mailing list