Hey, I am in the process of trying (and convincing my colleagues) to learn/setup selinux as we switch to 6.0... Quick question: do I really "need" to install the setools/setroubleshoot packages or can I live without them?? They want to install 80 packages (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing all sort of graphical tools/libs on my lean servers. Can I just install setools-console by example? Is there a console only equivalent for setroubleshoot? If you know a must-have "selinux for dummies" like howto, apart from Redhat/Fedora doc or CentOS wiki, I am interested!Especially if it covers the case of many non-standard applications (the policy here is to use compiled apaches/php/mencoder/ffmpeg/..., all installed (with their data/logs) in a "/OURDIR" directory (but still use /var/run for the pids and a few others depending on the app), init.d scripts, logrotates, etc... Thx, JD
On Fri, 2 Sep 2011, John Doe wrote:> I am in the process of trying (and convincing my colleagues) to learn/setup > > selinux as we switch to 6.0... > Quick question: do I really "need" to install the setools/setroubleshoot > packages or can I live without them?? They want to install 80 packages > (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing > all sort of graphical tools/libs on my lean servers.> Can I just install setools-console by example?What does experiemntation with yum in a testing mode indicate with the packageset on your box - dependency trees have an effectively infinite number of permutations> Is there a console only equivalent for setroubleshoot? > > If you know a must-have "selinux for dummies" like howto, apart from > Redhat/Fedora doc or CentOS wikiWhat is wrong with the article at: http://wiki.centos.org/HowTos/SELinux as the timestamps will indicate another CentOS dev team member pointed out some deficiencies to me in it last night, and I was working on it for a couple of hours, and then a docs group member did style cleanups behind me It is not a completed work, but it is now relevant to CentOS 6 It also covers writing custom rules for local 'in house' applications I also know that the CentOS Planet RSS aggregator carried a rather long teaching rant I wrote a while back http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html seeming right before I injured my ankle, from the datestamp -- probably a bad karhma reward from the internet dieties and sprirts for my attitidinal expectation that technical people do research before asking yeah -- I am just a sore head -- that's it -- Russ herrold
Russ herrold wrote:>> Quick question: do I really "need" to install the setools/setroubleshoot >> packages or can I live without them?? They want to install 80 packages >> (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing >> all sort of graphical tools/libs on my lean servers. >> Can I just install setools-console by example? > What does experiemntation with yum in a testing mode indicate > with? the packageset on your box - dependency trees have an > effectively infinite number of permutationsMy question was more "do I really need this package to work with selinux?" I installed setools-console and so far it seems enough... So, can I skip setroubleshoot?>> If you know a must-have "selinux for dummies" like howto, apart from >> Redhat/Fedora doc or CentOS wiki > What is wrong with the article at: > http://wiki.centos.org/HowTos/SELinuxNothing wrong; I already read it, and will read the redhat doc... Just looking for all the doc I can find on the subject. And maybe also for the hidden secret magic button that will auto-write the hundreds custom policies we will need... Creating a custom policy for an apache to use a non standard rootdir or port seems indeed easy with audit2allow...? But several of our servers are more or less 10% standard (rpm based) and 90% custom, with dozens of apps/scripts listening on dozens non standard ports, sockets, accessing many files here and there... So the task is a bit daunting. Thx, JD PS: Any one found/made a Zimbra policy module?? ^_^
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2011 10:50 AM, John Doe wrote:> Hey, > > I am in the process of trying (and convincing my colleagues) to > learn/setup > > selinux as we switch to 6.0... Quick question: do I really "need" > to install the setools/setroubleshoot > > packages or can I live without them? They want to install 80 > packages > > (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid > installing > > all sort of graphical tools/libs on my lean servers. > > Can I just install setools-console by example? > > Is there a console only equivalent for setroubleshoot? > > If you know a must-have "selinux for dummies" like howto, apart > from > > Redhat/Fedora doc or CentOS wiki, I am interested!Especially if it > covers the case of many non-standard applications (the policy here > is to use compiled apaches/php/mencoder/ffmpeg/..., all installed > (with their data/logs) in a "/OURDIR" directory (but still use > /var/run for the pids and a few others depending on the app), > init.d scripts, logrotates, etc... > > > Thx, JD > > _______________________________________________ CentOS mailing > list CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centossetools and setroubleshoot are not required to be run by SELinux. setroubleshoot-server is supposed to be able to be used on server machine and able to send email on errors that it sees. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mKZ8ACgkQrlYvE4MpobNaogCgy0vbvm21zZr/sR2w2206oKOP dScAoMbCHjDHROJjOny1pfl+W7wsQnmk =MoKe -----END PGP SIGNATURE-----