On Tue, Jan 14, 2025 at 3:25 PM John Griffiths via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > We went from very laborious policy module creation to much easier > with sealert and audit2allow and, apparently, back to being > laborious. audit2allow cannot know whether access is being denied due to a file (or port) mislabeling, or because necessary rules are missing. So it assumes that necessary rules are missing, and generates rules that will result in the denied access being permitted. The issue is that almost always, the correct rules are present, but access is being denied because the filesystem (or port et. al.) labels are incorrect. In that case, the correct solution is to correct the labels, so that access will be granted. Adding rules that permit access to the incorrectly-labeled files will grant the application more access than it should have. For these reasons, it’s best to not blindly trust the rules that audit2allow generates, but instead use its output to debug filesystem labeling issues (which, again, is almost always the issue). Note that audit2allow is aware of SELinux booleans, and will tell you if the access can be permitted by enabling a specific boolean. -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
