1 |
If haven't synced in the last day or so, the NSA put out a new release. |
2 |
It has a tool, which is oft requested. Policycoreutils 1.4 now has the |
3 |
audit2allow tool, which will spit out SELinux policy from denials in |
4 |
dmesg, or logs. Just be careful when using it; denials aren't always |
5 |
because of policy shortcomings :) |
6 |
|
7 |
beta policy-dev # dmesg |
8 |
avc: denied { unlink } for pid=3484 exe=/usr/sbin/apache2 dev=sda9 |
9 |
ino=240715 scontext=system_u:system_r:httpd_t |
10 |
tcontext=system_u:object_r:httpd_var_run_t tclass=sock_file |
11 |
|
12 |
avc: denied { create } for pid=3484 exe=/usr/sbin/apache2 |
13 |
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_run_t |
14 |
tclass=sock_file |
15 |
|
16 |
avc: denied { setattr } for pid=3484 exe=/usr/sbin/apache2 dev=sda9 |
17 |
ino=239082 scontext=system_u:system_r:httpd_t |
18 |
tcontext=system_u:object_r:var_run_t tclass=sock_file |
19 |
|
20 |
beta policy-dev # audit2allow -d |
21 |
allow httpd_t httpd_var_run_t:sock_file { unlink }; |
22 |
allow httpd_t sbin_t:dir { search }; |
23 |
allow httpd_t var_run_t:sock_file { create setattr }; |
24 |
|
25 |
|
26 |
-- |
27 |
Chris PeBenito |
28 |
<pebenito@g.o> |
29 |
Developer, |
30 |
Hardened Gentoo Linux |
31 |
Embedded Gentoo Linux |
32 |
|
33 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
34 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |