how to always add rules to a policy

how to always add rules to a policy

[briaeros007]

Hello,

First of all, i'm sorry if my questions is something "dumb".

Here the context of my trouble :
I have create a server with an php website.
This php website use a postgresql db on the same server.
I use a RHEL 5.3 and selinux with the policy "targeted".

For the website to works properly, i must add the rules :
"allow httpd_t postgresql_port_t:tcp_socket name_connect;"

So now my problem is :
If i update my server and the policy is updated : Is there a way to
automatically add this (local) rule ?

What i want to do is to use the rhel policy as a base, and to add my
own local rules without the need to recompile them/add them manually
at each update.

I don't know if i'm very clear /o\


Cordially

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to always add rules to a policy

[Paul Howarth]

On 14/09/09 09:40, briaeros007 wrote:
> Hello,
>
> First of all, i'm sorry if my questions is something "dumb".
>
> Here the context of my trouble :
> I have create a server with an php website.
> This php website use a postgresql db on the same server.
> I use a RHEL 5.3 and selinux with the policy "targeted".
>
> For the website to works properly, i must add the rules :
> "allow httpd_t postgresql_port_t:tcp_socket name_connect;"
>
> So now my problem is :
> If i update my server and the policy is updated : Is there a way to
> automatically add this (local) rule ?
>
> What i want to do is to use the rhel policy as a base, and to add my
> own local rules without the need to recompile them/add them manually
> at each update.
>
> I don't know if i'm very clear /o\

You probably don't need to add any rules at all. Try setting this 
boolean instead:

# setsebool -P httpd_can_network_connect_db=1

Paul.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how to always add rules to a policy

[Justin P. Mattock]

Paul Howarth wrote:
> On 14/09/09 09:40, briaeros007 wrote:
>> Hello,
>>
>> First of all, i'm sorry if my questions is something "dumb".
>>
>> Here the context of my trouble :
>> I have create a server with an php website.
>> This php website use a postgresql db on the same server.
>> I use a RHEL 5.3 and selinux with the policy "targeted".
>>
>> For the website to works properly, i must add the rules :
>> "allow httpd_t postgresql_port_t:tcp_socket name_connect;"
>>
>> So now my problem is :
>> If i update my server and the policy is updated : Is there a way to
>> automatically add this (local) rule ?
>>
>> What i want to do is to use the rhel policy as a base, and to add my
>> own local rules without the need to recompile them/add them manually
>> at each update.
>>
>> I don't know if i'm very clear /o\
>
> You probably don't need to add any rules at all. Try setting this 
> boolean instead:
>
> # setsebool -P httpd_can_network_connect_db=1
>
> Paul.
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
 From what I remember, if using the
selinux-policy-default there was a
file called local.te(cant remember the path)
and in there you would add your allow rules
to the policy. That is if your using monolithic.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.