On Tuesday 09 November 2004 23:12, Thomas Vander Stichele
<thomas(a)apestaart.org> wrote:
So I read some more of the howto. There's a binary called
audit2allow
that could help me generate rules. So I run it, restart apache a few
times, but the binary doesn't print anything, not even with -v. Maybe
I'm using it wrong, but there's no way of finding out if I am.
Here are some uses of it:
dmesg|audit2allow
audit2allow -d
audit2allow < /var/log/messages
Note that audit2allow only produces policy, you have to then include that in
your policy tree and recompile. To do that install
selinux-policy-targeted-sources and put a file
named /etc/selinux/targeted/src/policy/domains/misc/custom.te with your
policy and then run "make -C /etc/selinux/targeted/src/policy load" to
compile and load the policy.
If all RH developers, who have "easy" access to the
SELINUX
people at Red Hat, were to use it, they'd have basic knowledge about it.
When the next circle of developers - outside of redhat, but having links
to inside - gets hit, they do the same. And so on.
It looks to me like the first circle is already completely broken, hence
halting the dissemination of information and increasing the annoyance
level outside of Red Hat. It won't be long before sysadmins and users
ignore the default and turn it off entirely.
There is no requirement that you learn about SE Linux from Red Hat employees.
You can contact the Red Hat employees who work on SE Linux just as easily as
any other Red Hat employee.
Send email to rcoker(a)redhat.com and I'll answer your questions about SE Linux
and Fedora with the same priority that I would give to the same questions
from a Red Hat employee.
If you want a good and fast response from me the best thing to do is to post
to a mailing list (such as this one) and CC me on this address. As you will
notice I am a bit behind in my mailing list email, if your original message
had been CC'd to me you would have had a reply a long time ago.
I understand that FC3 is relatively fresh and that not everything can
be
in place from the start.
I just want to get a good picture of where SELINUX is at and how to
solve issues, so that I can try to fix stuff myself, and explain to
other people. Otherwise I'll just have to turn off SELINUX myself, and
recommend the same to others when questions are asked about it.
SE Linux is in good shape technically. The documentation is lacking, all the
people who know the code are very busy doing coding. That leaves a shortage
of people who have the ability and time to write documentation. Things are
improving however, there is quite a bit of documentation going in other
places, one is Linux Journal. We should probably make a page of links to all
reliable sources of information. My web site has some of the needed links.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page