-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/21/2010 09:53 PM, Karl MacMillan wrote: > On Wed, Apr 21, 2010 at 10:04 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> Ok that works, but If we move to a more general case. or openvn_t >> getattr on etc_t >> >> #============= openvpn_t ============== >> # src="openvpn_t" tgt="etc_t" class="file", perms="getattr" >> # comm="openvpn" exe="" path="" >> # Interface options: >> # automount_exec_config(openvpn_t) # [51] >> # files_exec_etc_files(openvpn_t) # [51] >> # files_delete_etc_files(openvpn_t) # [118] >> # files_relabel_etc_files(openvpn_t) # [136] >> # files_rw_etc_files(openvpn_t) # [161] >> # files_read_etc_files(openvpn_t) # [171] >> # files_manage_etc_files(openvpn_t) # [179] >> # auth_use_nsswitch(openvpn_t) # [1342] >> # seutil_semanage_policy(openvpn_t) # [3489] >> # auth_login_pgm_domain(openvpn_t) # [3717] >> # portage_compile_domain(openvpn_t) # [4004] >> >> I would have expected files_read_etc_files(openvpn_t) to be the >> closest/best match. >> > > Can you send me the audit messages for this? > >> The tool is getting confused by attributes. Since attributes are not >> currently interpretable, they should be eliminated from the calculation. >> Best way to do this is just eliminate any types that don't end in a _t. > > I'm not certain what you mean by this - confused in what way? The only > thing I know about is the lack of typattribute statements. The > attached patch adds attribute handling to sepolgen. It's only lightly > tested but I wanted you to get it sooner rather than later. > > Karl > >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.14 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkvPBdMACgkQrlYvE4MpobP9IQCePlmwSbiO94NTCiu1mHwUzdkI >> 8YsAn3tlgDQljeLLLhJmMaUGRHFkrBVp >> =8OfI >> -----END PGP SIGNATURE----- >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >> the words "unsubscribe selinux" without quotes as the message. >> First let me get rid of these ^M all over the patch.pwd -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQSWwACgkQrlYvE4MpobPjqQCgkQAXldyncbGkD5KgOI49vVRQ b0sAoJ2wSfzsPELFd9efh4XRtKdBACR1 =Pkv1 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
