Re: A tool to generate missing requires for a SELinux module?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken YANG wrote:
> Aleksander Adamowski wrote:
>> Hi!
>>
>> I often find myself in a need for a tool that would scan a module's .te
>> file and generate the missing requires.
>>
>> It should determine all the missing requires, for which there are rules
>> in that module, in one pass, and present either the missing requires
>> only, or the full contents of the require {} section (in the second
>> case, it could merge the missing class permissions with any existing
>> permissions for given pre-existing classes).
>>
>> I know that I can use audit2allow to generate the requires for me with
>> -r switch, but it has 3 shortcomings:
>>
>>   1. It dumbly generates requires for all the classes/types/attributes
>>      it sees - and since it doesn't know anything about intended module
>>      where the rules will go to, it will probably generate requires for
>>      types/attributes that are defined in that module. Such require
>>      output, when blindly pasted into module's source, will generate
>>      duplicate definition errors.
>>   2. It knows nothing about preexisting requires in the target module,
>>      so it will spit out all of them and one has to remove duplicates
>>      by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
>>   3. It won't help me if I write some rules by hand, not based on AVC
>>      messages.
>>
>> I think the problem is widespread enough that someone could have written
>> a tool for that already - I'd like to know about that before I start
>> writing one myself :)
> 
> you can ask selinux@xxxxxxxxxxxxx, i rememeber there are some works in
> upstream similar to your idea.
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THe best idea is to get rid of gen_requires altogether, and have the
linker/compiler figure it out.  This is being worked on in the new
polgen implementation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGztPGrlYvE4MpobMRAoKKAJ9xYQPOBfo3j0P1nbVbEDNLAzddvwCgqsOA
n7ipNIUbcqyoI0e+lBUTfBE=
=RrkG
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux