> From: Shintaro Fujiwara [mailto:shin216@xxxxxxxxxxxxxxxx] [text cut] > > As a matter of fact, I printed every interfaces and felt at a loss, > because of its thickness. > Yes, not a good idea. :) > In what page or Software can I find those defined interfaces ? > SLIDE ? > SLIDE has multiple features that can help you find interfaces. Its default configuration brings up an Interfaces window on the right side. The interfaces are grouped by layer (e.g., kernel, services, apps, etc.) and then by module. If you left click on an interface name, SLIDE shows you the policy source for the interface in the Declaration tabbed window at the bottom. You do need to understand the convention used for interface names and have a general idea of where an interface might be found. SLIDE gives you interface completion in the module editing window when you type <Ctrl><space>. The completion pop-up shows initial matches in module names up until the first underscore, '_'. For example, if I type "core" and hit <Ctrl><space>, SLIDE will show me the possible completions are "corecommands" and "corenetworks", and it will show me a summary comment for each one. If I pick "corecommands" SLIDE completes the first part of the interface, "corecmd_", and then it will show all of the interfaces that start with "corecmd_" and short descriptions of each one. I select which interface I want, let's say "corecmd_bin_domtrans", and SLIDE pastes the full name in with "()" and shows a hint about what arguments are required for the interface (in this case it shows, "domain, target_domain"). You can also press <Ctrl><Shift><space> between the parentheses to see the parameter popup again. The descriptions are only as complete as the authors made them. The general format of interfaces and syntax conventions can be found on the Reference Policy pages, <http://oss.tresys.com/projects/refpolicy>, and I'm sure Chris PeBenito would welcome any Reference Policy patches that expand the interface documentation. SLIDE, <http://oss.tresys.com/projects/slide> has plenty of documentation and we would welcome any suggestions. > I once wrote such a software named segatex... > > Why audit2allow is just echoing raw access vectors and not interfaces ? It is a simple tool designed to make it easy for people whose main objective is to get their application working. It is useful in providing a quick summary of the denials in the logs, but if you're trying to develop a strict policy you should not simply accept the output of audit2allow as your policy. > I think if audit2allow has such an option, it would be more convenient > and rewarding. > I believe that is Karl's objective with Madison/sepolgen. Matching an appropriate interface is not an easy problem. Even if you have a tool that can suggest the appropriate interface you still need to consider if the access is really required (quite often applications ask for access they don't really need) and, if so, if you should allow the access or fix the application. > Maybe I should rewrite my own program ...segatex...by this > summer,though. > Or are there other project doing the same thing? > Karl's project? > > http://sourceforge.net/projects/segatex/ > > http://intrajp.no-ip.com my homepage > > > Officer,System-Information,Signal School, JGSDF > > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list