A tool to generate missing requires for a SELinux module?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

I often find myself in a need for a tool that would scan a module's .te file and generate the missing requires.

It should determine all the missing requires, for which there are rules in that module, in one pass, and present either the missing requires only, or the full contents of the require {} section (in the second case, it could merge the missing class permissions with any existing permissions for given pre-existing classes).

I know that I can use audit2allow to generate the requires for me with -r switch, but it has 3 shortcomings:

  1. It dumbly generates requires for all the classes/types/attributes
     it sees - and since it doesn't know anything about intended module
     where the rules will go to, it will probably generate requires for
     types/attributes that are defined in that module. Such require
     output, when blindly pasted into module's source, will generate
     duplicate definition errors.
  2. It knows nothing about preexisting requires in the target module,
     so it will spit out all of them and one has to remove duplicates
     by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
  3. It won't help me if I write some rules by hand, not based on AVC
     messages.

I think the problem is widespread enough that someone could have written a tool for that already - I'd like to know about that before I start writing one myself :)

--
Best Regards,
   Aleksander Adamowski
       GG#: 274614
ICQ UIN: 19780575 http://olo.org.pl

--
Aleksander Adamowski
   Administrator systemów korporacyjnych; Instruktor
   Altkom Akademia S.A. http://www.altkom.pl
   Warszawa, ul. Chłodna 51
kom. 0-601-318-080

Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN.  Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux