[ale] SELinux & abrtd

Jim Kinney jim.kinney at gmail.com
Sat Sep 18 10:24:28 EDT 2010


That's a policy writing tool
Grep for setroubleshoot in rpm -qa output

On Sep 17, 2010 9:43 PM, "Drifter" <drifter at oppositelock.org> wrote:
> Jim,
> What I used was system-config-selinux.
>
> Sean
>
> -----------------------------------------------------------------------
>
> On Friday, September 17, 2010 03:48:44 pm Jim Kinney wrote:
>> _which_ gui tool? The one that works pretty well in Fedora is the
>> selinux troubleshooter. It's an automatic desktop thing with an
>> alerter. It has a details drop down that includes a command line to
>> fix the problem. If you don't clear the tool, you can go back and
>> review past events.
>>
>> Most of the reports will not be real break in attempts but will be
>> places when an app tried to do a transition that was not allowed (i.e.
>> a selinux policy bug or the app developer changed the way something
>> worked under hood and the selinux team "didn't get the memo".)
>>
>> On Fri, Sep 17, 2010 at 3:29 PM, Drifter <drifter at oppositelock.org>
> wrote:
>> > I tried using the GUI SELinux command tool -- even went to Red Hat's
>> > own "how to" page for the tool. The instructions were incomplete,
>> > to say the least. The tool simply does not work the way it should.
>> > It lists all the programs for which it has a rule set. But there is
>> > no obvious way to pull up the existing rule set for the program in
>> > question, in this case abrtd. The tool will only let you create a
>> > new rule set from scratch. This is STUPID! Then it requires choices
>> > without defining them, leaving the user to guess.
>> > I'm sorry; I tried. This tool is simply not ready for prime time.
>> > SELinux may be a "Good Thing" (tm) but I have had at least a half
>> > dozen SELinux reports in the past month, all of them false alarms.
>> > Have set the damn thing to Permissive Mode.
>> >
>> > Sean
>> >
>> >
>> > ---------------------------------------------------------------------
>> > --------
>> >
>> > On Friday, September 17, 2010 02:37:20 pm Jim Kinney wrote:
>> > > for that matter you can run windows but you wouldn't want to.
>> > >
>> > > SELinux is a good thing. It should be used. When there are bugs
>> > > they should be reported. With a basic target policy it "JustWorks"
>> > > 99+% of the time. That other tiny fraction is not a show stopper
>> > > 99.9+% of the time.
>> > >
>> > > So a bit of policy tweaks (the gui tool in Fedora actually will
>> > > tell you the command to run to allow the blocked process) are a
>> > > good thing to learn about.
>> > >
>> > > On Fri, Sep 17, 2010 at 2:18 PM, Jim Lynch
>> >
>> > <ale_nospam at fayettedigital.com>wrote:
>> > > > You can do what I always do and disable SELinux.
>> > > >
>> > > > Jim.
>> > > >
>> > > > On 09/17/2010 11:52 AM, Drifter wrote:
>> > > > > got this message this morning:
>> > > > >
>> > > > > SELinux denied access requested by abrtd. It is not expected
>> > > > > that this access is required by abrtd and this access may
>> > > > > signal an intrusion attempt. It is also possible that the
>> > > > > specific version or
>> > > > > configuration of the application is causing it to require
>> > > > > additional access.
>> > > > >
>> > > > > All I know about abrtd is what Google turned up:
>> > > > >
>> > > > > abrt is a tool to help users to detect defects in applications
>> > > > > and
>> > > > >
>> > > > > to create a bug report with all informations needed by
>> > > > > maintainer to fix
>> > > >
>> > > > it.
>> > > >
>> > > > > It uses plugin system to extend its functionality.
>> > > > > So I think my question is
>> > > > > How do I get SELinux to let the program do its thing?
>> > > > > Or should I just not give a damn?
>> > > > > Sean
>> > > >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100918/747c0caf/attachment-0001.html 


More information about the Ale mailing list