http://blog.clearnetsec.com/articles/2006/07/31/quickly-allowing-selinux-to-run-an-application en-us 40 <p> I've been setting up&nbsp; <a href="http://www.nsa.gov/selinux/">SELinux</a> from scratch for a machine lately.&nbsp;&nbsp; Here is the quick and dirty way to let an application run that doesn't have permissions. </p> <p> &nbsp; </p> <p> Copy the log messages for the blocked application to a file, say tomcatlog.msg which looks something like this:<br /> </p> <p> avc:&nbsp; denied&nbsp; { ioctl } for&nbsp; pid=6256 comm=&quot;su&quot; name=&quot;tomcat.log&quot; dev=tmpfs ino=23418 scontext=system_u:system_r:initrc_su_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file&nbsp; </p> <p> &nbsp; </p> <p> run audit2allow which compiles the log message in to an selinux package: </p> <p> &nbsp; </p> <p> audit2allow -M tomcatlog &lt; ./tomcatlog.msg </p> <p> &nbsp; </p> <p> Then load the new selinux package into selinux with semodule: </p> <p> &nbsp; </p> <p> sudo /usr/sbin/semodule -i tomcatlog.pp&nbsp; </p> <p> &nbsp; </p> <p> &nbsp; </p> <p> I don't recommend building a whole system this way but after beating on it for a while this is just a really easy way to allow something to run.&nbsp; </p> <!-- technorati tags begin --><p style="font-size:10px;text-align:right;">technorati tags: <a href="http://technorati.com/tag/linux" rel="tag">linux</a>, <a href="http://technorati.com/tag/selinux" rel="tag">selinux</a></p><!-- technorati tags end --> Mon, 31 Jul 2006 06:30:00 -0600 urn:uuid:5686a4e1-23df-4bcb-bb78-dc4e47b45c1e ian@ClearNetSec.com (Ian S. Nelson) http://blog.clearnetsec.com/articles/2006/07/31/quickly-allowing-selinux-to-run-an-application linux selinux