October 2004
Intermediate to advanced
256 pages
8h 16m
English
Content preview from SELinuxBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Using Audit2allow
Most implementations of SELinux include Audit2allow, a tool that can help you create or customize a domain. Some fledgling SELinux administrators use Audit2allow indiscriminately, rendering their system less secure. One technical reviewer of this book terms Audit2allow “evil,” not so much because of problems with the tool itself as because of the way it’s often misused. In this section, I’ll explain how to use Audit2allow more carefully, so that you can avoid this pitfall.
Audit2allow is a Perl script that processes recent AVC messages. It
analyzes the messages it finds and prints allow
rules that—if added to the current policy—would authorize
the denied operations. Hence, you can go badly wrong by blindly
accepting its recommendations. For instance, perhaps someone has
attempted a prohibited operation. Adding the rules generated by
Audit2allow will authorize the prohibited operation, but may also
compromise system security. Another more subtle source of problems is
that Audit2allow takes the current type architecture and file labels
as given. Often it’s appropriate—or even
necessary—to create a new domain that encapsulates a program or
operation, as I did in the preceding section. But Audit2allow
provides no help in doing so.
Audit2allow is less than perfect in other ways. For instance, it is
sometimes blind to prohibited operations. This can occur if the
operation is covered by a dontaudit rule. It can also occur if AVC message caching has caused one or more messages ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.