search for: semodule_packag

...s_script_t ============== allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; EOF $ checkmodule -M -m -o foo.mod foo.te checkmodule: loading policy configuration from foo.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to foo.mod $ semodule_package -o foo.pp -m foo.mod $ echo $? 0 # So far, so good. But : $ checkmodule -b foo.pp checkmodule: loading policy configuration from foo.pp libsepol.policydb_read: policydb magic number 0xf97cff8f does not match expected magic number 0xf97cff8c or 0xf97cff8d checkmodule: error(s) encountered while...

Using audit2allow, I was able to create a policy module for selinux: audit2allow -i /var/log/audit/audit.log -M mysqld (creates mysqld.pp and mysqld.te) I want to distribute this to all my puppet clients. I can easily put this file in /etc/selinux/targeted/modules/active/modules But even after reboot, although I can see the module listed: semodule -l ... it doesn''t seem to actually

...stom SELinux policy has changed somewhat from 4->5. I've got it mostly figured out; I have a local.te file with my custom policy and also which defines a few new file types, and a local.fc with appropriate defintions of file contexts. When I run: # checkmodule -M -m -o local.mod local.te # semodule_package -o local.pp -m local.mod # semodule -i local.pp (all in /usr/share/selinux/targeted), the policy gets installed and works properly. However, I can't then use fixfiles or the like to set the custom file contexts (my custom file contexts aren't installed in the main policy). I can apply the...

Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be

...ty RPM) Run make to build the SELinux module Note: https://stopdisablingselinux.com/ :-) You will need policycoreutils-python and checkpolicy in order to be able to build the SELinux module ==================== Makefile ======================== module: checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp ==================== local.te ======================== module local 1.0; require { type ntpd_t; type <sign_socket_context>; class sock_file write; class dir search; } allow chronyd_t <sign_socket_context>:dir search...

...e setattr remove_name rmdir}; } allow clamscan_t amavis_var_lib_t:file {getattr read open write create unlink}; allow clamscan_t amavis_var_lib_t:dir {search read getattr open write add_name create setattr remove_name rmdir}; -EOF- * checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis.te * semodule_package -o se_clamav_amavis.pp -m se_clamav_amavis.mod * semodule -i se_clamav_amavis.pp --- N.B. I am just migrating from SuSE to CentOS and this is my first contact with SELinux. I have *no idea* if this is the appropriate approach to solve the issue. I have found out this by trial and error and not b...

hi, i want set selinux to usw with ntpd but when i run (as described in wiki) semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" i have that error " usage: semanage [-h] {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} ... semanage: error: argument subcommand: invalid choice:

...stfix.te # # 2) Compile this file: # # checkmodule -M -m -o local_postfix.mod local_postfix.te # # 3) Create SELinux policy package: # # semodule_package -o local_postfix.pp -m local_postfix.mod # # 4) Move policy package to normal SELinux modules directory: # # mv local_postfix.pp /etc/selinux/targeted/modules/active/modules/ # # 5) Update kernel with new policy package: # # semodul...

...r_run_t:file { read write getattr open lock }; allow smbd_t samba_unconfined_script_exec_t:dir read; allow smbd_t urandom_device_t:chr_file write; allow smbd_t var_lock_t:dir search; ---***--- Compile the module and create the policy package: # checkmodule -M -m -o samba4local.mod samba4local.te # semodule_package -o samba4local.pp -m samba4local.mod Load the module: # semodule -i samba4local.pp With this policy in place SELinux should be able to run in enforcing mode without affecting Samba. I also enabled the following SELinux booleans: # setsebool -P samba_domain_controller on # setsebool -P samba_enabl...