[ale] SELinux & abrtd

Jim Kinney jim.kinney at gmail.com
Fri Sep 17 15:48:44 EDT 2010


_which_ gui tool? The one that works pretty well in Fedora is the selinux
troubleshooter. It's an automatic desktop thing with an alerter. It has a
details drop down that includes a command line to fix the problem. If you
don't clear the tool, you can go back and review past events.

Most of the reports will not be real break in attempts but will be places
when an app tried to do a transition that was not allowed (i.e. a selinux
policy bug or the app developer changed the way something worked under hood
and the selinux team "didn't get the memo".)

On Fri, Sep 17, 2010 at 3:29 PM, Drifter <drifter at oppositelock.org> wrote:

> I tried using the GUI SELinux command tool -- even went to Red Hat's own
> "how to" page for the tool.  The instructions were incomplete, to say the
> least.  The tool simply does not work the way it should. It lists all the
> programs for which it has a rule set.  But there is no obvious way to pull
> up the existing rule set for the program in question, in this case abrtd.
> The tool will only let you create a new rule set from scratch.
> This is STUPID!  Then it requires choices without defining them, leaving
> the user to guess.
> I'm sorry; I tried.  This tool is simply not ready for prime time.
> SELinux may be a "Good Thing" (tm) but I have had at least a half dozen
> SELinux reports in the past month, all of them false alarms.  Have set the
> damn thing to Permissive Mode.
>
> Sean
>
>
> -----------------------------------------------------------------------------
>
> On Friday, September 17, 2010 02:37:20 pm Jim Kinney wrote:
> > for that matter you can run windows but you wouldn't want to.
> >
> > SELinux is a good thing. It should be used. When there are bugs they
> > should be reported. With a basic target policy it "JustWorks" 99+% of
> > the time. That other tiny fraction is not a show stopper 99.9+% of the
> > time.
> >
> > So a bit of policy tweaks (the gui tool in Fedora actually will tell
> > you the command to run to allow the blocked process) are a good thing
> > to learn about.
> >
> > On Fri, Sep 17, 2010 at 2:18 PM, Jim Lynch
> <ale_nospam at fayettedigital.com>wrote:
> > > You can do what I always do and disable SELinux.
> > >
> > > Jim.
> > >
> > > On 09/17/2010 11:52 AM, Drifter wrote:
> > > > got this message this morning:
> > > >
> > > > SELinux denied access requested by abrtd. It is not expected that
> > > > this access is required by abrtd and this access may signal an
> > > > intrusion attempt. It is also possible that the specific version
> > > > or
> > > > configuration of the application is causing it to require
> > > > additional access.
> > > >
> > > > All I know about abrtd is what Google turned up:
> > > >
> > > > abrt is a tool to help users to detect defects in applications and
> > > >
> > > > to create a bug report with all informations needed by maintainer
> > > > to fix
> > >
> > > it.
> > >
> > > > It uses plugin system to extend its functionality.
> > > > So I think my question is
> > > > How do I get SELinux to let the program do its thing?
> > > > Or should I just not give a damn?
> > > > Sean
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100917/63edeec7/attachment-0001.html 


More information about the Ale mailing list