On 05/01/2014 08:38 AM, Dominick Grift wrote: > On Tue, 2014-04-29 at 10:59 -0400, Steve Lawrence wrote: > > I have not yet had time to try this out but i think i may have found > another bug in secilc. > > dontaudit rules are not included in the policy it seems. > > Today i called a terms_dontaudit_use_console() > > which basically has a rule like: > > (dontaudit ARG1 console_device_t rw_term_perms) > > But the rule is not ending up in the resulting policy (in no dontaudit > rules at all) > > secilc is looking mighty good overall though. > I've tested with the pp to CIL method, Jim's cilpolicy.git, and a very bare bones cil policy in test/policy.cil and I cannot reproduce the issue you describe where dontaudit rules don't end up in the policy. The only thing I can think of is that you're giving the -D flag, which will disable dontaudits. If that's not the case, would it be possible to provide us your CIL files? Thanks, - Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
