On Thu, 2014-05-01 at 08:57 -0400, Steve Lawrence wrote: > > I've tested with the pp to CIL method, Jim's cilpolicy.git, and a very > bare bones cil policy in test/policy.cil and I cannot reproduce the > issue you describe where dontaudit rules don't end up in the policy. The > only thing I can think of is that you're giving the -D flag, which will > disable dontaudits. If that's not the case, would it be possible to > provide us your CIL files? Sure, I can give the whole thing: Here is the spec i use to build a secilc package: https://github.com/doverride/secilc-spec Here is my "work in progress" policy written in CIL: https://github.com/doverride/monogam ( it has a script in "support/" that i most of the time use to "build/load" policy ) Here is the spec i use to build a "monogam" policy package: https://github.com/doverride/monogam-spec Side note: I am also using a custom installation of policycoreutils (without semanage/semodule The spec for that is here: https://github.com/doverride/policycoreutils-spec If you look in systemd policy module ( i believe ) then youll see that i call the term_dontaudit_use_console() which for some reason does not make it to the policy seinfo shows no dontaudit rules and neither does sesearch _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
