On Monday 04 February 2008, Erich Schubert wrote: > That it so far has been rather impractical to develop a SELinux policy > module outside of the 'upstream policy tree' is a different issue. > (Given that there were the NSA developed policy, the 'new' reference > policy with strict and targeted modes and being under heavy development) > The NSA policy has been discontinued, and the reference policy > 'targeted' and 'strict' modes have been merged into just one policy > (with a module to use 'targeted' mode). > > How about you just follow the same road that Exim took? > Develop the module, send it to SELinux policy upstream, who happily > included it in policy upstream. > When the refpolicy package is updated again (Manoj seems to be MIA?), > then we can close this bug.
Here are the messages with `setenforce Enforcing` and `setenforce Permissive`
type=DAEMON_START msg=audit(1202137401.610:4228) auditd start, ver=1.5.3,
format=raw, auid=4294967295 pid=3630 res=success, auditd pid=3630
type=CONFIG_CHANGE msg=audit(1202137401.614:34): audit_enabled=1 old=1 by
auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1202137401.615:35): audit_enabled=1 old=1 by
auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1202137401.644:36): audit_backlog_limit=320
old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1202137401.644:37): audit_backlog_limit=320
old=64 by auid=4294967295 res=1
type=MAC_STATUS msg=audit(1202138501.214:38): enforcing=0 old_enforcing=1
auid=4294967295
type=AVC msg=audit(1202138504.204:39): avc: denied { search } for pid=9413
comm="leafnode" name="spool" dev=dm-2 ino=4063245
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1202138504.204:40): avc: denied { setattr } for pid=9413
comm="leafnode" name="news" dev=dm-2 ino=4199432
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1202138504.205:41): avc: denied { read } for pid=9413
comm="leafnode" name="news" dev=dm-2 ino=4199432
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1202138504.205:42): avc: denied { getattr } for pid=9413
comm="leafnode" path="/var/spool/news/message.id" dev=dm-2 ino=4199437
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1202138504.209:43): avc: denied { ioctl } for pid=9413
comm="leafnode" path="socket:[38994]" dev=sockfs ino=38994
scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:system_r:tcpd_t:s0
tclass=udp_socket
type=AVC msg=audit(1202138504.210:44): avc: denied { getattr } for pid=9413
comm="leafnode" path="/var/spool/news/leaf.node/groupinfo" dev=dm-2
ino=6460883 scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1202138504.210:45): avc: denied { read } for pid=9413
comm="leafnode" name="groupinfo" dev=dm-2 ino=6460883
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1202138504.252:46): avc: denied { read } for pid=9413
comm="leafnode" name="meminfo" dev=proc ino=4026531842
scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file
type=AVC msg=audit(1202138504.252:47): avc: denied { getattr } for pid=9413
comm="leafnode" path="/proc/meminfo" dev=proc ino=4026531842
scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file
Ritesh
--
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."
signature.asc
Description: This is a digitally signed message part.
