Policies rules generated using "audit2allow -R" questions (risks)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm a selinux newbie using RHEL7.9 and I'm in the process of creating a "private/application" selinux policy for a
large legacy application.

For some AVCs/denials I've been using the audit2allow to generate some of the rules/interfaces to resolve the AVCs/denials.

Questions about using the "-R" option to generate the policy rules:

1. What are the risks of using the "-R" option?
Do people use the "interfaces" which the "-R" generates in the policies deployed in production environments?
When "-R" is used, how does the tool itself determine which "interface" to use? Is it Linux distribution and release specific so if we upgrade will it be a problem?
The redhat documentation and man page (and other vendor's documentation) specify it is a risk to use this tool (see [1][2]).

2. When the "-R" option is not used, separate rules are generated that do not include "interface" rules.
Is it safe to use the rules audit2allow generates (without "-R") or are those a risk as well?
3. Any other suggestions for resolving AVCs/denials ?
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

[2] audit2allow man page
man audit2allow
...
-R | --reference
Generate reference policy using installed macros. This attempts to match denials against interfaces and may be
inaccurate.
Thanks


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux