Bugzilla Bug 441402: audit2allow parses 'granted' audit entries like they were 'denied' > -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: Monday, April 07, 2008 1:21 PM > To: Karrels, Jeffrey J (US SSA) > Cc: selinux@xxxxxxxxxxxxx; Daniel J Walsh > Subject: RE: Audit2allow + allow rule for 'granted' access > > > On Mon, 2008-04-07 at 08:41 -0700, Karrels, Jeffrey J (US SSA) wrote: > > policycoreutils-1.33.12-12.el5 > > Ok, file a bugzilla against it, please. > Dan will have to extract the bug fix from sepolgen upstream and back > port it. > > > > > > -----Original Message----- > > > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > > Sent: Friday, April 04, 2008 5:05 AM > > > To: Karrels, Jeffrey J (US SSA) > > > Cc: selinux@xxxxxxxxxxxxx; Daniel J Walsh > > > Subject: Re: Audit2allow + allow rule for 'granted' access > > > > > > > > > On Thu, 2008-04-03 at 16:06 -0700, Karrels, Jeffrey J (US SSA) wrote: > > > > Not that this is a big deal, but is there a way to stop audit2allow > > > > from processing and creating rules for audits that are 'granted'? > > > > > > > > > > > > > > > > I turned on auditing for a couple of rules so I can keep an eye on > > > > domain transitions. That creates some entries in the audit log such > > > > as: "avc: granted { transition } for pid=3409 ". > > > > > > > > > > > > > > > > When I run audit2allow on that entry, audit2allow creates a rule for > > > > that entry as if the entry were a 'denied' rather than a 'granted'. > > It > > > > came into being an issue when I was ignoring the allow transition > > > > entries, and there was an actual 'denied' audit (hidden amongst the > > > > granted transitions [for mls reasons]) that I was not catching when > > > > manually going through the logs. > > > > > > That's a bug. What version of policycoreutils? Fixed upstream > > already, > > > I believe, so bugzilla it against RHEL. > > > > > > -- > > > Stephen Smalley > > > National Security Agency > > > > > > > > > > > > > -- > > This message was distributed to subscribers of the selinux mailing list. > > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > > the words "unsubscribe selinux" without quotes as the message. > -- > Stephen Smalley > National Security Agency > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
