Stephen Smalley wrote: > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote: >> Another question, does doing this audit2allow method sort of mean "I >> have no idea what I'm doing, so allow it all", or is that why it >> caught the hald_t memory portion and said NO, don't do this! > > As per the audit2allow man page, you should think through the rules > generated by audit2allow, not just blindly take them. > > The neverallow statements aka assertions in the base policy will catch > certain kinds of dangerous access or malformed rules, but are certainly > not exhaustive. with your words, can i think the violated assertion, such as: assertion on line 0 violated by allow ...... only be introduced by "neverallow" rules? Are there any other rules will cause this kind of errors? > > Mapping the low-level allow rules to higher level abstractions is > something you get from using reference policy, if you use the reference > policy interfaces. You might try running audit2allow with the -R option > to try to have it generate calls to reference policy interfaces. What > version of audit2allow are you using? > > You may want to try SLIDE for policy writing, as it makes it much easier > to search reference policy interfaces, access the inline documentation, > etc. > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
