On 7/3/2011 5:15 PM, Cameron Simpson wrote:
> On 03Jul2011 15:02, Paul Allen Newell<pnew...@cs.cmu.edu> wrote:
> | On 7/3/2011 2:54 PM, Paul Morgan wrote:
> |>On Jul 3, 2011 5:38 PM, "Paul Allen Newell"<pnew...@cs.cmu.edu
> |><mailto:pnew...@cs.cmu.edu>> wrote:
> |>
> |>it really is bad form to run a script out of root's home
> |>directory.
>
> A little untidy, sure. But...
>
> [...]
>
> And regarding the "why does selinux log so much with setenforce 0":
> selinux isn't off, it is just in "permissive" mode - report all
> violations of the rules but don't prevent them. It is a debugging mode;
> the intent is that you correct your rules. You can also run the system
> with selinux genuinely off, though I think it may need a reboot once
> selinux has been started at all.
>
> Cheers,
Regarding where to put it, I was already thinking /usr/local/{bin,sbin},
just wanted to figure out whether bin or sbin was better (gut instinct
would be bin)
I have managed to figure out that there is this mode known as
"permissive" and that sure cleared up alot of my "on/off" assumptions.
I have been reading up about rules and audit2allow. Makes sense in
theory, but when I looked at the rule that was generated with
audit2allow, its 365 lines long. Plus trying multiple reboots gives me
warnings about different files. When rebooting, I see 50 warnings; when
I run as root, I see @270 warnings (only /home for reboot; all searched
directories for running in terminal). The 365 is only for the 50 warning
version ...
I can't see any way to temporarily disable selinux from catching
violations while I do the clamscan (though the pop-up asks me if I want
alerts, it doesn't look like getting an alert prevents the violation
from being caught)
My first question is whether there is a way to go "allow clamscan_t *
{read open search getattr}" so that clamscan will have permission to
examine anything on the system (which is what I would want with a virus
scan, right?). I discovered that the write warnings were for the debug
writing to *.out and *.err per your suggestion, so I gratefully don't
have to give clamscan write clearance.
The second question is why wouldn't selinux be defaulted to allow clamav
given that's what Fedora seems to be suggesting/using? That being said,
there is probably a good reason that I am not savvy enough to see ...
but I still want to ask the question.
One good thing is I'm finally beginning to get an idea of what selinux
is out of all this ...
Thanks,
Paul
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
