Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations]
"DWMFRAMEINTERVAL"=dword:0000000f
~]# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
第三步,执行audit2allow -a检查需要放通的权限
~]# audit2allow -a
#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
原文中提到一个重要的提醒,提到,出现这种情况都算软件没配好,是应该向Redhat提交故障报告的。
第四步,用 audit2allow -a -M 生成一个可以加载的模块
~]# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch.pp
~]# ls
mycertwatch.pp mycertwatch.te