[Freeipa-devel] [PATCH] fix an selinux problem with ipa_kpasswd
Rob Crittenden
rcritten at redhat.com
Tue Apr 1 20:17:15 UTC 2008
John Dennis wrote:
> Rob Crittenden wrote:
>> An SELinux AVC was thrown related to /proc during a password reset.
>> This fixes that on some systems. It is still broken on Fedora 7 at least.
>
> Rob, are you aware there is a tool which will watch a running system and
> pop up a notification whenever an AVC denial occurs? This can be a
> useful thing during development because AVC's may go unnoticed and it's
> best to get them fixed ASAP. The tool also works in permissive mode so
> you still get the notifications but nothing is blocked.
>
> The tool is setroubleshoot and the desktop GUI component is sealert.
> Typically it's installed and enabled. The sealert GUI depends on the
> setroubleshoot service, the normal service and chkconfig commands apply.
Yes but it doesn't always recommend the best way to do things because it
doesn't seem to be aware of the SELinux macros like
files_manage_generic_tmp_dirs()
I appreciate the suggestion though.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080401/01d575be/attachment.bin>
More information about the Freeipa-devel
mailing list