Re: Permissive domain how-to?

[Eric Paris <eparis redhat com>]

On Fri, 2008-10-24 at 07:10 +0900, Shintaro Fujiwara wrote:
> Hi, I want to set permissive some domain as Mr Walsh gave us a hint,
> but when I tried to do that,
> 
> [root notepc ~]# semanage permissive -a zabbix_t
> /usr/sbin/semanage: Permission denied
> 
> Another one was same result.
> 
> Why ?

Obviously semanage permissive could use some work....

[root paris-laptop ~]# semanage permissive -a zabbix_t
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 477, in <module>
    process_args(sys.argv[1:])
  File "/usr/sbin/semanage", line 376, in process_args
    OBJECT.add(target)
  File "/usr/lib/python2.5/site-packages/seobject.py", line 345, in add
    mc.create_module_package(filename, 1)
  File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 172, in create_module_package
    self.refpol_build(sourcename)
  File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 186, in refpol_build
    raise RuntimeError("compilation failed:\n%s" % self.last_output)
RuntimeError: compilation failed:
Compiling targeted permissive_zabbix_t module
m4: tmp/permissive_zabbix_t.mod.role: No such file or directory
make: *** [tmp/permissive_zabbix_t.mod] Error 1

You might be able to give some more info running

strace -o /tmp/semanage.strace -s 1024 semanage permissive -a zabbix_t

On the other hand you could build your own module by hand while we wait
on dan to help us out with semamage....

policy_module(permissivezabbix, 1.0)
gen_require(`
       type zabbix_t;
')
permissive zabbix_t;

checkmodule -M -m -o permissivezabbix.mod permissivezabbix.te
semodule_package -o permissivezabbix.pp -m permissivezabbix.mod
semodule -i permissivezabbix.pp