Ridding myself of root passwords?

Jima jima at beer.tclug.org
Thu Feb 6 17:23:08 MST 2014


On 2014-02-06 12:13, S. Dale Morrey wrote:
> A tool like SELinux really needs to be more intelligent.  Adding a "study
> what this process does" mode and allowing it to learn the norms of the
> process would in my mind justify the hassle of going in and telling it
> "yeah sorry daemonX was supposed to be able to do that particular thing" on
> the rare occasion that a daemon does change behavior by design.

  OK, speaking very specifically about CentOS (and Fedora), here's a 
quick "coping with SELinux" primer:

# yum install policycoreutils-python
(do something that SELinux doesn't allow, actually can be done before 
installing policycoreutils-python)
# audit2allow -M policy1 < /var/log/audit/audit.log
(following the instructions provided in audit2allow's output...)
# semodule -i policy1.pp
(now to flush the audit log out so your next invocation of audit2allow 
won't try to combat what you've already permitted)
# mv /var/log/audit/audit.log <somewhereelse> && service auditd restart
(rinse/repeat with policy2, policy3, etc)

  Mind you, you wouldn't want to do that blindly (you can and should 
read policy1.te before loading policy1.pp), but that's how to make 
SELinux play nice with arbitrary software.  policycoreutils-python also 
includes audit2why, which attempts to explain why SELinux blocked a 
particular action from happening.  The key thing when allowing things 
through SELinux's watchful gaze is to make sure that it's blocking your 
actions and not someone else's. ;-)

      Jima


More information about the PLUG mailing list