-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/06/2011 12:32 AM, Russell Coker wrote:
> On Sat, 29 Jan 2011, Simon Brandmair <sbrandmair@xxxxxxx> wrote:
>> I just started looking into SELinux. I am wondering if there is a way to
>> have wildcards in avc rules like:
>> auditallow source_t target_t : * * ;
>> which audits all access from source_t to target_t.
>>
>> Or do I have to add all classes objects to the rule like:
>> auditallow source_t target_t : {appletalk_socket, association,
>> blk_file ... } * ;
>
> No, there isn't such a wildcard at this time (AFAIK). It might be worth
> adding one so I've moved this discussion to the SE Linux upstream mailing list
> (please don't CC debian-security on future replies).
>
Not possible and as far as i know neither is your second suggestion.
This is because not all permissions can be used with all object classes.
You would add a rule for each object class type (or set of object
classes that share the same permissions):
auditallow source target:notdevfile_class_set *;
auditallow source target:devfile_class_set *;
auditallow source target:socket_class_set *;
auditallow source target:file_class_set *;
etc, etc.
I am not sure if auditallow is the right way to do this. Maybe the audit
suite has better options for your requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1z0rMACgkQMlxVo39jgT/t6gCg1T3AquC6RVeUpY2KEnQMdZT1
AowAoJgPYENYYXvTmRJVhtqSXpxKwFbv
=zUKb
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
