On 03/09/2018 05:18 AM, Nicolas Kovacs wrote:
Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp
Unfortunately the suggested solution doesn't work
Start by running "ausearch -c 'ssl_crtd' --raw" by itself. Try to
determine whether or not all of the affected files are mentioned in that
output.
Typically, to generate a complete policy, you'll need to run in
permissive mode while you operate the system, so that all of the things
that you want to allow are recorded. Many services that need a new
policy will generate more than one AVC denial, and in enforcing mode
they'll terminate or at least cease processing the labeled resources
that they need after the first denial. In permissive mode, you should
get a better list of exceptions that are required, because AVCs are
recorded, but the application isn't actually denied permission to those
resources.
When your logs are complete, remove the old module and generate a new
one according to the directions from sealert.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
