CentOS docs - Nov 2012 - [CentOS Wiki] Update of "HowTos/SELinux" by kirkbocek

On 08/11/12 04:45, noreply at centos.org wrote:
> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "CentOS
Wiki" for change notification.
>
> The following page has been changed by kirkbocek:
> http://wiki.centos.org/HowTos/SELinux?action=diff&rev2=29&rev1=28
>
> The comment on the change is:
> Added the User Notes and Gotchas Section
>
>
------------------------------------------------------------------------------
>
>    http://danwalsh.livejournal.com/
>
> + == User Notes and Gotchas => +
> + This section is provided by a user who learned most of what he knows of
SELinux from this document. This document is a wonderful and detailed resource.
However, it is somewhat dry. It misses a couple of practical points I found
rather frustrating as I tried to actually get stuff done.
> +
> +  1. ''semanage'' is found in the package
''policycoreutils-python'' which is not installed by default.
Note there is a separate ''policycoreutils'' package.
This doc was written for CentOS 5. There are large differences between 
CentOS 5 and 6. This is one of them. The policycoreutils-python package 
doesn't exist on CentOS 5 and semanage is indeed provided by 
policycoreutils.

I've asked before and I'll say it again - we need a policy for dealing 
with documentation changes between 5 and 6.

I've not checked for errors further into this commit.
> +  1. Finding the right context to use as you manage a system is difficult.
One place to start is ''ls -Z''. Look at the directories and
data pre-installed by a package and copy the contexts already used. The next
tool is ''seinfo -t'' which lists all contexts currently in use
on your system. grep for the name of your application.
> +  1. ''audit2allow'' is actually easier to use than
presented here. When you have a conflict between two contexts, find the error
messages in ''audit.log'' and extract them to a separate text
file. Feed the errors back to ''audit2allow'' like this:
> + {{{
> + audit2allow -M mynewpolicyname<errors.txt}}}
> +  What will be generated is ''mynewpolicyname.te'' and
''mynewpolicyname.pp'' along with helpful instructions on how to
import the new policy. This new policy will enable whatever was previously
conflicting.
> +
> +  I discovered this process attempting to get a script running under
postfix that was previously installed on a non-SELinux system. Under SELinux,
the script needs to run under the ''postfix_pipe_exec_t''
context and it's spooling directory needs the
''postfix_pipe_tmp_t'' context. However the script also calls
the ''spamc'' binary of ''spamassassin'' for
processing. Alas, this binary runs under ''spamc_t'' and thus
couldn't read or write into the spool directory.
> +
> +  After executing this process we get a ''.te'' file that
looks like this:
> + {{{
> + module mynewpolicy 1.0;
> +
> + require {
> +         type spamc_t;
> +         type postfix_pipe_tmp_t;
> +         class file { read write };
> + }
> +
> + #============= spamc_t =============> + allow spamc_t
postfix_pipe_tmp_t:file { read write };
> + }}}
> +  If you look at the last line, this policy allows the
''spamc_t'' context to read and write files in the
''postfix_pipe_tmp_t'' context. ''spamassassin''
now works as before.
> +
>

On 08.11.2012 17:47, Ned Slider wrote:
> This doc was written for CentOS 5. There are large differences between 
> CentOS 5 and 6. This is one of them. The policycoreutils-python package 
> doesn't exist on CentOS 5 and semanage is indeed provided by 
> policycoreutils.
> 
> I've asked before and I'll say it again - we need a policy for
dealing
> with documentation changes between 5 and 6.
So the same as with 4 and 5: I still am all for "CentOS 5" and
"CentOS
6" sections in documentation, where things differ and do that directly
on the page. Now this might mean that we have two completely different
versions of a page, if the difference is too big. IMHO.


OTOH upstream's documentation has grown quite a bit from the "5"
days,
so a few things we have on the wiki are now documented in the official
documentation.

Regards,

Ralph