On 03/01/2012 02:52 AM, Sven Vermeulen wrote:
Hi guys, Is it possible to update setools (and, more specifically, seinfo and sesearch to support role_attribute queries as well? I find those two tools very useful to query the policy, often in search for why certain things are failing (for instance, see which types match which type attributes, which user roles can "be in" particular types, etc.
Unfortunately, the role attributes won't be written to the final policy.X, since their destiny has been fulfilled during link and expansion, with all their capabilities (being able to bond with various types) having been properly propagated to all their sub-roles. In consequence, seinfo won't be used to query role attributes since they don't exist in the policy.X in the first place.
Instead, I would suggest maybe it's desirable for you to fall back checking one of the sub-roles that belong to a role attribute via "seinfo -r -x", if you doubt if a role attribute has not typed with enough types. For example, when I found sysadm_r was unable to type with newrole_t, I am almost certain newrole_roles that contains sysadm_r should have been typed with newrole_t.
Thanks, Harry
With the 20120215 refpolicy release, role attributes are used extensively, but there are some quirks here and there that are easily solved, but might be a bit more challenging to debug if all you have to debug with are the sources. For instance, I found that mozilla_plugin_t isn't part of mozilla_roles yet (yes, Chris, I'll send up the patch later when most of the testing has been done ;-) If I could do something like: ~$ seinfo -tmozilla_t -x to see that this one is part of mozilla_roles, and ~$ seinfo -tmozilla_plugin_t -x isn't, then I can quickly deduce that this is what I need to patch. Similarly, using sesearch with --role_source supporting role attributes would be very nice as well. Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
