Ridding myself of root passwords?
richard-lists at esplins.org
Thu Feb 6 17:45:21 MST 2014
This whole thread has been great. I have learned a lot. Thank you.
On Thursday, February 06, 2014 17:23:08 Jima wrote:
> On 2014-02-06 12:13, S. Dale Morrey wrote:
> > A tool like SELinux really needs to be more intelligent. Adding a "study
> > what this process does" mode and allowing it to learn the norms of the
> > process would in my mind justify the hassle of going in and telling it
> > "yeah sorry daemonX was supposed to be able to do that particular thing"
> > on
> > the rare occasion that a daemon does change behavior by design.
> OK, speaking very specifically about CentOS (and Fedora), here's a
> quick "coping with SELinux" primer:
> # yum install policycoreutils-python
> (do something that SELinux doesn't allow, actually can be done before
> installing policycoreutils-python)
> # audit2allow -M policy1 < /var/log/audit/audit.log
> (following the instructions provided in audit2allow's output...)
> # semodule -i policy1.pp
> (now to flush the audit log out so your next invocation of audit2allow
> won't try to combat what you've already permitted)
> # mv /var/log/audit/audit.log <somewhereelse> && service auditd restart
> (rinse/repeat with policy2, policy3, etc)
> Mind you, you wouldn't want to do that blindly (you can and should
> read policy1.te before loading policy1.pp), but that's how to make
> SELinux play nice with arbitrary software. policycoreutils-python also
> includes audit2why, which attempts to explain why SELinux blocked a
> particular action from happening. The key thing when allowing things
> through SELinux's watchful gaze is to make sure that it's blocking your
> actions and not someone else's. ;-)
More information about the PLUG