Living with SE Linux

SE Linux causes alot of headaches for me because I don’t truly understand how it works. But instead of disabling it at the first sign of trouble this week, I got some more info on troubleshooting and tweaking the policy.

I had compiled my own Bind RPMs to address the latest DoS issue. I’m running version 9.5 since it supports the “allow-query-cache” option and RHEL 5 only provides version 9.3. So after I installed my own RPM, of course SE Linux was preventing named from starting. This is how I fixed it:

Check the audit.log for AVC messages:

# cat /var/log/audit/audit.log |grep 'avc:' > /tmp/se.txt

edit the text file to include only the SE issues you want to address:

# vi /tmp/se.txt

create a policy module:

# cat /tmp/se.txt | audit2allow -M local

load the module:

# semodule -i local.pp

That’s all it took to get Bind working for me.

Advertisements

About this entry