On Thu, Apr 22, 2010 at 9:38 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I have not fully examined this patch but I don't believe it will do what
> I need.
>
> If I define an interface that ends up looking like this:
>
>
> [InterfaceVector files_read_etc_files $1:source ]
> $1,configfile,dir,ioctl,search,read,lock,open,getattr
> $1,configfile,file,read,lock,getattr,open,ioctl
> $1,configfile,lnk_file,read,getattr
>
>
> And have and avc that looks like this:
>
> node=(removed) type=AVC msg=audit(1271587735.632:422): avc: denied {
> getattr } for pid=13239 comm="openvpn"
> path="/home/bbaetz/.pki/vpn01_cacert.pem" dev=dm-3 ino=565334
> scontext=system_u:system_r:openvpn_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
>
>
> This will never match.
>
> What we need is a way to expand out configfile into etc_t, or to realize
> that etc_t is a configfile.
>
> The tool you added does not do the equivalent of
>
> seinfo -aconfigfile -x
No, it doesn't do that yet, but I'll get to that soon. Now that I have
the infrastructure for digging through the binary policy for attribute
information it won't be too hard.
Karl
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvQUTwACgkQrlYvE4MpobMfWwCfbg6t/396jHWHCpasqosqf8Mw
> 7qkAoNiXMi8+RK5/4mBu8WbnGLvxlb7+
> =EDEY
> -----END PGP SIGNATURE-----
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
