Re: total newbie audit2allow question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2013 01:01 PM, Dominick Grift wrote:
> On Wed, 2013-04-17 at 09:12 -0600, Richard Greenwood wrote:
> 
>> 
>> 
>> Thank you for the detail explanations and blog post. I'm not really 
>> having a problem with my CGI app, nor am I trying to create a custom 
>> type. I'm just trying to get a better understanding of SELinux generally,
>> and specifically what policies audit2allow is creating. Your answers have
>> gotten me a little closer.
>> 
> 
> audit2allow is just translating AVC denials into type enforcement policy 
> rules. e.g. picking out the source type, target type, target object class
> and permission(s). Then it just prepends that with either allow or 
> dontaudit access vector depending on what you tell it to do (thats a 
> audit2allow option, defaults to allow)
> 
> example:
> 
> allow source_type target_type:target_object_class { permissions };
> 
> it is very limited. It can only do basic type enforcement translation and
> it cannot make security decisions (for example decide whether to create a
> file with a inherited file type or to create it with a type transition.
> Similarly it cannot decide whether to just run a executable file or run it
> with a domain type transition) It always just does the former.
> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Boy if it could figure out whether or not to do a transition, that would be
cool.  It also can not do a good job of figuring out what would be the best
type to set a target to, if you want to allow write.

Although we could do a better job then we do now.  I think I made
setroubleshoot sort the list of types based on type prefix.

Having uristics on the path would be cool also.

allow httpd_t var_log_t:file append;
If audit2allow would suggest perhaps you should change the label of file to
httpd_var_log_t.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFu4+gACgkQrlYvE4MpobMu9ACeIII+WNbC1d17ZEfIGKPpoY8d
QlwAn0PBNfM2Z3Qe4/LgmD9Ncr/4M84a
=idWN
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux