On Tue, 2006-04-04 at 14:57 -0500, Robert Nichols wrote: > Matthew Saltzman wrote: > > On Tue, 4 Apr 2006, Robert Nichols wrote: > > > >> Changing file contexts is very simple. Knowing what to change a > >> file context _to_ in order to fix any particular denial is not so > >> simple. And fixing the root problem that is repeatedly causing > >> similar denials requires quite a bit of knowledge and analysis. > > > > > > I've seen references to audit2allow that make me think this tool should > > help identify what needs to be changed to fix any particular denial. > > Haven't investigated in detail yet. > > There is simply no way for audit2allow to know what is the > appropriate change. Should executables with this type always be > allowed this kind of access? Does the executable have the wrong > type? Does the target file have the wrong context, and if so, > how did it get that way and what needs to be done so that in the > future similar files will get the correct context? The > immediate problem can be circumvented by changing any of the > three parameters, but knowing which change is "right" is a bit > more complicated. > > And that's just for users. The application developer has a > whole additional level of complexity to consider if his app. > finds itself "targeted". > > To make SELinux work for the wide variety of things done on > desktop machines it needs a staff of highly trained volunteers > willing to donate their time to analyze each problem and make > and maintain the appropriate changes to the standard policy on > each system. And fix it RIGHT NOW, please, I need to finish > building this ISO and mail out the CD-R before the Post Office > closes today. OK, "setenforce 0" is the quickest fix. Pardon > me if I somehow neglect to change that back any time soon. ---- I am quite certain that if you wanted specific help with this issue, the fedora-selinux list would help you solve it. If you want to deal with in a generic form of way as you are doing, this list and the fedora-selinux list aren't likely to be able to provide much guidance. Craig
