[lug] Understanding SElinux "semodule" and "audit2allow"
Andrew Gilmore
agilmore2 at gmail.com
Fri Oct 25 15:32:51 MDT 2013
> Your suspicion is correct. Each time you run the above you are creating a
> completely new mypol module and replacing the existing one. If you no
> longer capture avc denials in /var/log/audit/audit.log (because the are
> allowed in the current mypol), then you will loose those.
>
> Couple things to try:
> - grep through all of the old audit.log files as well to capture the
> original denials as well.
> - create a new policy module with audit2allow, then merge the .tt files.
> They aren't too bad once you get the have of them. You can find rules on
> the web to build .pp from .tt.
> - You could do multiple modules, but that seems unwieldy and inelegant.
>
In my cases, I find it sometimes makes sense to have multiple modules. It's
definitely worth capturing all of the changes made to support a single
function in a specific module, but if I have two applications requiring
different accesses, I like having them in different modules.
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20131025/b6702837/attachment.html>
More information about the LUG
mailing list