Re: Generating policies for Nagios on Fedora9 - difficulties

[Paul Howarth <paul city-fan org>]

On Fri, 07 Nov 2008 09:06:41 +0100
"Dirk H. Schulz" <dirk schulz kinzesberg de> wrote:

> Paul,
> 
> --On 6. November 2008 12:09:45 +0000 Paul Howarth <paul city-fan org>
> wrote:
> 
> - snip -
> 
> >
> > The SELinux denials that you're hitting now are probably
> > dontaudit-ed in pollcy. You can turn off the dontaudit rules using:
> >
> ># semodule -BD
> >
> > and turn them back on using:
> >
> ># semodule -B
> 
> Thanks for helping, that was my problem.
> 
> >
> > Be careful with policy generated from audit logs with dontaudit
> > rules turned off to ensure that what you're allowing is actually
> > necessary and not just unrelated noise.
> 
> I have tried to use only those denials that seemed related to my
> problem (that means they contained "mailq" and "postqueue"). No I
> have got this working.
> 
> There is another two newbie questions if you allow:
> - loading a module with semodule -i - is this permanent or temporary 
> regarding reboots? I did not find any hint in web docs and man pages
> on that.
> - since I have done this very careful step by step I now have lots
> of .te and .pp files. Can I simply do ca "cat *.te > all.te" and
> recompile it or is there a tool that generates a syntactically more
> compact .te file?

Not sure; all I do in such cases is merge together the "require"
clauses at the top and then all of the allow rules/interface calls just
follow on all together as if it was just one regular file.

Paul.