On Wed, Apr 21, 2010 at 10:04 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Ok that works, but If we move to a more general case. or openvn_t > getattr on etc_t > > #============= openvpn_t ============== > # src="openvpn_t" tgt="etc_t" class="file", perms="getattr" > # comm="openvpn" exe="" path="" > # Interface options: > # automount_exec_config(openvpn_t) # [51] > # files_exec_etc_files(openvpn_t) # [51] > # files_delete_etc_files(openvpn_t) # [118] > # files_relabel_etc_files(openvpn_t) # [136] > # files_rw_etc_files(openvpn_t) # [161] > # files_read_etc_files(openvpn_t) # [171] > # files_manage_etc_files(openvpn_t) # [179] > # auth_use_nsswitch(openvpn_t) # [1342] > # seutil_semanage_policy(openvpn_t) # [3489] > # auth_login_pgm_domain(openvpn_t) # [3717] > # portage_compile_domain(openvpn_t) # [4004] > > I would have expected files_read_etc_files(openvpn_t) to be the > closest/best match. > Can you send me the audit messages for this? > The tool is getting confused by attributes. Since attributes are not > currently interpretable, they should be eliminated from the calculation. > Best way to do this is just eliminate any types that don't end in a _t. I'm not certain what you mean by this - confused in what way? The only thing I know about is the lack of typattribute statements. The attached patch adds attribute handling to sepolgen. It's only lightly tested but I wanted you to get it sooner rather than later. Karl > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvPBdMACgkQrlYvE4MpobP9IQCePlmwSbiO94NTCiu1mHwUzdkI > 8YsAn3tlgDQljeLLLhJmMaUGRHFkrBVp > =8OfI > -----END PGP SIGNATURE----- > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. >
Attachment:
0001-Add-attribute-handling-to-sepolgen.patch
Description: Binary data
