Quickly allowing SELinux to run an application
Posted by Ian S. Nelson Mon, 31 Jul 2006 12:30:00 GMT
I've been setting up SELinux from scratch for a machine lately. Here is the quick and dirty way to let an application run that doesn't have permissions.
Copy the log messages for the blocked application to a file, say tomcatlog.msg which looks something like this:
avc: denied { ioctl } for pid=6256 comm="su" name="tomcat.log" dev=tmpfs ino=23418 scontext=system_u:system_r:initrc_su_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
run audit2allow which compiles the log message in to an selinux package:
audit2allow -M tomcatlog < ./tomcatlog.msg
Then load the new selinux package into selinux with semodule:
sudo /usr/sbin/semodule -i tomcatlog.pp
I don't recommend building a whole system this way but after beating on it for a while this is just a really easy way to allow something to run.
