Hi all
I've noticed that on my system, for some interfaces, the results in
/var/lib/sepolgen/interface_info are missing file-specific feedback.
For instance, consider the kernel_rw_kernel_sysctl() interface, which is
coded as follows:
interface(`kernel_rw_kernel_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')
In the interface_info file, I only find the following metadata about this
interface:
[InterfaceVector kernel_rw_kernel_sysctl $1:source ]
$1,sysctl_t,dir,getattr,open,search
$1,sysctl_kernel_t,dir,getattr,open,search
$1,proc_t,dir,getattr,open,search
Shouldn't this at least contain something like this?
$1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append
Although not critical, it does result in audit2allow -R to not use
refpolicy-style interfaces when possible...
How can I debug this? I know the file is generated by sepolgen-ifgen, but
rerunning doesn't add in any file-related metadata and I'm totally oblivious
on how the parsing is done...
Wkr,
Sven Vermeulen
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
