On Tue, 2007-07-24 at 10:17 +0800, Ken YANG wrote: > Stephen Smalley wrote: > > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote: > >> Another question, does doing this audit2allow method sort of mean "I > >> have no idea what I'm doing, so allow it all", or is that why it > >> caught the hald_t memory portion and said NO, don't do this! > > > > As per the audit2allow man page, you should think through the rules > > generated by audit2allow, not just blindly take them. > > > > The neverallow statements aka assertions in the base policy will catch > > certain kinds of dangerous access or malformed rules, but are certainly > > not exhaustive. > > with your words, can i think the violated assertion, such as: > > assertion on line 0 violated by allow ...... > > only be introduced by "neverallow" rules? Are there any other rules > will cause this kind of errors? Only neverallow rules cause those messages to occur. The "assertion on line 0" part is a holdover of when this was all done when policy was compiled from source (versus precompiled loadable modules). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
