Re: Debian testing +selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Smalley wrote:
> On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
>> Another question, does doing this audit2allow method sort of mean "I
>> have no idea what I'm doing, so allow it all", or is that why  it
>> caught the hald_t memory portion and said NO, don't do this! 
> 
> As per the audit2allow man page, you should think through the rules
> generated by audit2allow, not just blindly take them.
> 
> The neverallow statements aka assertions in the base policy will catch
> certain kinds of dangerous access or malformed rules, but are certainly
> not exhaustive.

with your words, can i think the violated assertion, such as:

assertion on line 0 violated by allow ......

only be introduced by "neverallow" rules? Are there any other rules
will cause this kind of errors?

> 
> Mapping the low-level allow rules to higher level abstractions is
> something you get from using reference policy, if you use the reference
> policy interfaces.  You might try running audit2allow with the -R option
> to try to have it generate calls to reference policy interfaces.  What
> version of audit2allow are you using?
> 
> You may want to try SLIDE for policy writing, as it makes it much easier
> to search reference policy interfaces, access the inline documentation,
> etc.
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux