Re: Generating policies for Nagios on Fedora9 - difficulties

[Daniel J Walsh <dwalsh redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dirk H. Schulz wrote:
> Paul,
> 
> --On 6. November 2008 12:09:45 +0000 Paul Howarth <paul city-fan org>
> wrote:
> 
> - snip -
> 
>>
>> The SELinux denials that you're hitting now are probably dontaudit-ed in
>> pollcy. You can turn off the dontaudit rules using:
>>
>> # semodule -BD
>>
>> and turn them back on using:
>>
>> # semodule -B
> 
> Thanks for helping, that was my problem.
> 
>>
>> Be careful with policy generated from audit logs with dontaudit rules
>> turned off to ensure that what you're allowing is actually necessary and
>> not just unrelated noise.
> 
> I have tried to use only those denials that seemed related to my problem
> (that means they contained "mailq" and "postqueue"). No I have got this
> working.
> 
> There is another two newbie questions if you allow:
> - loading a module with semodule -i - is this permanent or temporary
> regarding reboots? I did not find any hint in web docs and man pages on
> that.
Yes they are permanent.
> - since I have done this very careful step by step I now have lots of
> .te and .pp files. Can I simply do ca "cat *.te > all.te" and recompile
> it or is there a tool that generates a syntactically more compact .te file?
> 
Well not exactly, you really can only have one policy_modules() line at
the top,  So you can edit your all.te and it would work.
> Dirk
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkUVwwACgkQrlYvE4MpobOTygCePPBY34l7iG4DeyDnqpQTORvi
LJEAnAgLxZAFoznhvNvs0UqtFZERybKn
=5C2L
-----END PGP SIGNATURE-----