SELinux Modules

Dan Walsh of Red Hat talks about SETroubleshooter that translates the gobbledegook error messages from SELinux and better explain what the issues are. Tool audit2allow generates the SELinux macro language (audit2allow’s been around for a while). audit2allwo -M builds a module and prompts the user the commands needed to incorporate it: a te file for type enforcement, a pp ‘policy package’ that contains the policy and a compiler that generates a .mod file.

Package selinux-policy-devel provides the tools to generate a new policy that can confine an application . Policygentool takes a ModuleNane and an Executable as parameters. Dan used the smart card daemon as an example. He used the tool and generated a basic template, started the service, viewed the logs, added in the policies needed to support the behaviors of the tool and re-generated the module. “Lather, rinse, repeat.”

There’s a package on the FC6 called policycoreutils-gui which I think is called system-configure-selinux (Dan didn’t have it installed) that will let you do much of this without working from the command windows.

Tag: fudconboston2007

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.