| 1 |
If haven't synced in the last day or so, the NSA put out a new release. |
| 2 |
It has a tool, which is oft requested. Policycoreutils 1.4 now has the |
| 3 |
audit2allow tool, which will spit out SELinux policy from denials in |
| 4 |
dmesg, or logs. Just be careful when using it; denials aren't always |
| 5 |
because of policy shortcomings :) |
| 6 |
|
| 7 |
beta policy-dev # dmesg |
| 8 |
avc: denied { unlink } for pid=3484 exe=/usr/sbin/apache2 dev=sda9 |
| 9 |
ino=240715 scontext=system_u:system_r:httpd_t |
| 10 |
tcontext=system_u:object_r:httpd_var_run_t tclass=sock_file |
| 11 |
|
| 12 |
avc: denied { create } for pid=3484 exe=/usr/sbin/apache2 |
| 13 |
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_run_t |
| 14 |
tclass=sock_file |
| 15 |
|
| 16 |
avc: denied { setattr } for pid=3484 exe=/usr/sbin/apache2 dev=sda9 |
| 17 |
ino=239082 scontext=system_u:system_r:httpd_t |
| 18 |
tcontext=system_u:object_r:var_run_t tclass=sock_file |
| 19 |
|
| 20 |
beta policy-dev # audit2allow -d |
| 21 |
allow httpd_t httpd_var_run_t:sock_file { unlink }; |
| 22 |
allow httpd_t sbin_t:dir { search }; |
| 23 |
allow httpd_t var_run_t:sock_file { create setattr }; |
| 24 |
|
| 25 |
|
| 26 |
-- |
| 27 |
Chris PeBenito |
| 28 |
<pebenito@g.o> |
| 29 |
Developer, |
| 30 |
Hardened Gentoo Linux |
| 31 |
Embedded Gentoo Linux |
| 32 |
|
| 33 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 34 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives