Jiann-Ming Su
2007-May-16 20:46 UTC
[CentOS] selinux-policy-targeted-sources and CentOS 5?
What is the equivelent "selinux-policy-targeted-sources" package in CentOS 5? It was available in 4.4. Thanks for any help. -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman "The system's broke, Hank. The election baby has peed in the bath water. You got to throw 'em both out." --Dale Gribble
Daniel de Kok
2007-May-16 20:53 UTC
[CentOS] selinux-policy-targeted-sources and CentOS 5?
On Wed, 2007-05-16 at 16:46 -0400, Jiann-Ming Su wrote:> What is the equivelent "selinux-policy-targeted-sources" package in > CentOS 5? It was available in 4.4. Thanks for any help.Most of the policy is added through policy modules in CentOS 5. The policy module sources are available through the selinux-policy SRPM, the interface files are also available through the selinux-policy-devel package. Though, you don't need the sources in CentOS 5 to build policies for new programs (you can write a module, and compile it using the Makefile provided in the selinux-policy-devel package). -- Daniel
Paul Heinlein
2007-May-16 20:57 UTC
[CentOS] selinux-policy-targeted-sources and CentOS 5?
On Wed, 16 May 2007, Jiann-Ming Su wrote:> What is the equivelent "selinux-policy-targeted-sources" package in > CentOS 5? It was available in 4.4. Thanks for any help.Funny, I just asked myself that this morning. Reading the RHEL 5 manual (Chapter 45. Customizing SELinux Policy), I came the conclusion that semanage, semodule, and audit2allow are the newly blessed toolset. I needed to allow dhcpd to bind to a port (1820/1821 in my case) for failover, but that binding is verboten in the standard targeted policy. I took a look at the audit.log to see what entries were of interest (they all contained src=1820 or src=1821), and passed those entries to audit2allow, asking it to create a policy called "dhcpfailover." I looked at the resulting dhcpfailover.te file to make sure it looked something like I expected, and then used semodule to install and active the policy revision. I.e., grep src=182[01] /var/log/audit/audit.log | audit2allow -M dhcpfailover $PAGER dhcpfailover.te semodule -i dhcpfailover.pp -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/