Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy rpms but disable the passenger module, it would be very useful.
Thanks,
Moray. "To err is human; to purr, feline."
On 04/26/2013 11:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy rpms but disable the passenger module, it would be very useful.
Thanks,
Moray. "To err is human; to purr, feline."
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What issues are you getting? If you have different paths then you should run in the httpd_t domain. Could you attach AVC msgs which you are getting? Is there a reason to not use RHEL passenger policy and just add labeling for your paths?
Regards, Miroslav
From: Miroslav Grepl [mailto:mgrepl@redhat.com] Sent: 29 April 2013 08:58 On 04/26/2013 11:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places
than
the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy
rpms
but disable the passenger module, it would be very useful.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What issues are you getting? If you have different paths then you should run in the httpd_t domain. Could you attach AVC msgs which you are getting? Is there a reason to not use RHEL passenger policy and just add labeling for your paths?
Regards, Miroslav
I had developed a policy module for my Rails/Passenger application before there was an RHEL passenger policy. It creates its own specific types using the httpd interface and it works. The RHEL module was written for different versions of Ruby, Rails and Passenger: it expects things in different places, uses different types, and some of the .fc specifications conflict with mine. This is not a complaint, it's just that different programmers, working independently and with different goals in mind, will inevitably design their software in different ways. If I was developing something new then obviously I would use the RHEL policy and the versions of packages it was designed for. However now it would take a lot of work to bring my existing policy or application into line with yours. Since I already have something that works now, I don't think I can face putting a lot of effort into redesigning it so that it simply still works.
Anyway, thanks Dominick for the "semodule -d" tip - I haven't had a chance to test it in my installer yet but it looks as if it should do the trick.
Moray. “To err is human; to purr, feline.”
On 04/29/13 03:58, Miroslav Grepl wrote:
On 04/26/2013 11:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy rpms but disable the passenger module, it would be very useful.
What issues are you getting? If you have different paths then you should run in the httpd_t domain. Could you attach AVC msgs which you are getting? Is there a reason to not use RHEL passenger policy and just add labeling for your paths?
I suspect he's like we are: we're on CentOS, so RHEL would be the same: the version of ruby is very old, and we use 1.8.7-enterprise (I think it is), so it's over in /opt.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2013 05:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy rpms but disable the passenger module, it would be very useful.
Thanks,
Moray. "To err is human; to purr, feline."
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Why not fix the labeling so it matches the default locations?
From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: 06 May 2013 19:19 On 04/26/2013 05:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places
than
the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy
rpms
but disable the passenger module, it would be very useful.
Thanks,
Why not fix the labeling so it matches the default locations?
It's been a while since I looked at how it all fits together - maybe coming back to it after a break will show up an easier path to do that.
Moray. “To err is human; to purr, feline.”
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/26/2013 05:16 AM, Moray Henderson wrote:
Is there a way to disable a particular module in selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the ones expected by the SELinux passenger module so we've had to remove it and make our own. That meant we missed a RHEL 6.4 selinux-policy update and ended up with a broken Samba 3.6. If there's a way we can go back to using the standard selinux-policy rpms but disable the passenger module, it would be very useful.
Thanks,
Moray. "To err is human; to purr, feline."
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
semodule -d MODULENAME
Will disable a module.
selinux@lists.fedoraproject.org