On Wed, 2013-04-17 at 09:12 -0600, Richard Greenwood wrote:
>
>
> Thank you for the detail explanations and blog post. I'm not really
> having a problem with my CGI app, nor am I trying to create a custom
> type. I'm just trying to get a better understanding of SELinux
> generally, and specifically what policies audit2allow is creating.
> Your answers have gotten me a little closer.
>
audit2allow is just translating AVC denials into type enforcement policy
rules. e.g. picking out the source type, target type, target object
class and permission(s). Then it just prepends that with either allow or
dontaudit access vector depending on what you tell it to do (thats a
audit2allow option, defaults to allow)
example:
allow source_type target_type:target_object_class { permissions };
it is very limited. It can only do basic type enforcement translation
and it cannot make security decisions (for example decide whether to
create a file with a inherited file type or to create it with a type
transition. Similarly it cannot decide whether to just run a executable
file or run it with a domain type transition) It always just does the
former.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
