David G. Miller wrote:
Paul Howarth <paul@xxxxxxxxxxxx> wrote:
You don't need anything particularly complicated to do local policy
changes in FC5 (it's much easier than in FC4 IMHO).
See:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
for example.
Actually you'll find its functionally the same but a lot of the "bones"
that show through in FC4 and earlier now remain hidden:
1) Use audit2allow to create a local ruleset.
2) Compile and load the local ruleset.
3) See if the local ruleset accomplishes what you wanted. If not, go to
step 1 and repeat.
The FC4 method just meant you also had to unpack the whole targeted
ruleset and remake it in order to add the local ruleset. On the other
hand, you get to see what's "under the hood" even though most people
doing this would leave it alone. The FC5 approach lets you just tack on
a local policy.
Also, I noticed that the article in the link mentions that "/!\ You need
to have have the checkpolicy package installed to build policy
modules". Is that a different RPM that the OP will need?
Yes, it has the policy compiler in it. But they'll only need it if they
actually need to compile local policy. It's conceivable that breakage as
major as cron job mail not working might be a labelling error. It can't
tell myself as I don't know how Postfix is *supposed* to work.
Paul.
