Re: Debian testing +selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
> Another question, does doing this audit2allow method sort of mean "I
> have no idea what I'm doing, so allow it all", or is that why  it
> caught the hald_t memory portion and said NO, don't do this! 

As per the audit2allow man page, you should think through the rules
generated by audit2allow, not just blindly take them.

The neverallow statements aka assertions in the base policy will catch
certain kinds of dangerous access or malformed rules, but are certainly
not exhaustive.

Mapping the low-level allow rules to higher level abstractions is
something you get from using reference policy, if you use the reference
policy interfaces.  You might try running audit2allow with the -R option
to try to have it generate calls to reference policy interfaces.  What
version of audit2allow are you using?

You may want to try SLIDE for policy writing, as it makes it much easier
to search reference policy interfaces, access the inline documentation,
etc.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux