[ale] SELinux & abrtd

Drifter drifter at oppositelock.org
Fri Sep 17 21:38:33 EDT 2010


Jim,
What I used was system-config-selinux.

Sean

-----------------------------------------------------------------------

On Friday, September 17, 2010 03:48:44 pm Jim Kinney wrote:
> _which_ gui tool? The one that works pretty well in Fedora is the
> selinux troubleshooter. It's an automatic desktop thing with an
> alerter. It has a details drop down that includes a command line to
> fix the problem. If you don't clear the tool, you can go back and
> review past events.
> 
> Most of the reports will not be real break in attempts but will be
> places when an app tried to do a transition that was not allowed (i.e.
> a selinux policy bug or the app developer changed the way something
> worked under hood and the selinux team "didn't get the memo".)
> 
> On Fri, Sep 17, 2010 at 3:29 PM, Drifter <drifter at oppositelock.org> 
wrote:
> > I tried using the GUI SELinux command tool -- even went to Red Hat's
> > own "how to" page for the tool.  The instructions were incomplete,
> > to say the least.  The tool simply does not work the way it should.
> > It lists all the programs for which it has a rule set.  But there is
> > no obvious way to pull up the existing rule set for the program in
> > question, in this case abrtd. The tool will only let you create a
> > new rule set from scratch. This is STUPID!  Then it requires choices
> > without defining them, leaving the user to guess.
> > I'm sorry; I tried.  This tool is simply not ready for prime time.
> > SELinux may be a "Good Thing" (tm) but I have had at least a half
> > dozen SELinux reports in the past month, all of them false alarms. 
> > Have set the damn thing to Permissive Mode.
> > 
> > Sean
> > 
> > 
> > ---------------------------------------------------------------------
> > --------
> > 
> > On Friday, September 17, 2010 02:37:20 pm Jim Kinney wrote:
> > > for that matter you can run windows but you wouldn't want to.
> > > 
> > > SELinux is a good thing. It should be used. When there are bugs
> > > they should be reported. With a basic target policy it "JustWorks"
> > > 99+% of the time. That other tiny fraction is not a show stopper
> > > 99.9+% of the time.
> > > 
> > > So a bit of policy tweaks (the gui tool in Fedora actually will
> > > tell you the command to run to allow the blocked process) are a
> > > good thing to learn about.
> > > 
> > > On Fri, Sep 17, 2010 at 2:18 PM, Jim Lynch
> > 
> > <ale_nospam at fayettedigital.com>wrote:
> > > > You can do what I always do and disable SELinux.
> > > > 
> > > > Jim.
> > > > 
> > > > On 09/17/2010 11:52 AM, Drifter wrote:
> > > > > got this message this morning:
> > > > > 
> > > > > SELinux denied access requested by abrtd. It is not expected
> > > > > that this access is required by abrtd and this access may
> > > > > signal an intrusion attempt. It is also possible that the
> > > > > specific version or
> > > > > configuration of the application is causing it to require
> > > > > additional access.
> > > > > 
> > > > > All I know about abrtd is what Google turned up:
> > > > > 
> > > > > abrt is a tool to help users to detect defects in applications
> > > > > and
> > > > > 
> > > > > to create a bug report with all informations needed by
> > > > > maintainer to fix
> > > > 
> > > > it.
> > > > 
> > > > > It uses plugin system to extend its functionality.
> > > > > So I think my question is
> > > > > How do I get SELinux to let the program do its thing?
> > > > > Or should I just not give a damn?
> > > > > Sean
> > > > 


More information about the Ale mailing list