On 08/12/2016 04:58 PM, Stephen Smalley wrote:
> On 08/12/2016 10:22 AM, Dominick Grift wrote:
>> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>>> For modify action actually audit the selinux type, i.e. use
>>> setype variable.
>>>
>>> For deleting equal fcontext rules do not audit ftype, as the
>>> ftype value for equal rules makes little sense.
>>>
>>> Signed-off-by: Miroslav Vadkerti <mvadkert@xxxxxxxxxx> ---
>>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2
>>> insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policycoreutils/semanage/seobject.py
>>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>>> "system_u"
>>
>> system_u is reference policy specific. this is selinux user space
>> not reference policy user space.
>
> Yes, that's pre-existing though (not added by this patch), and
> unfortunately pervasive throughout seobject.py.
>
> I guess we'll need to decide how to provide this information so that
> it doesn't have to be hardcoded in seobject.py, e.g. yet another
> policy configuration file with default values for each security
> context field?
I would not mind that if that is the best approach.
Those object_r occurrences raise another question. Should we be
"supporting" defaultrole source (RBACSEP) or not (i suppose we should)
>
>>
>>>
>>> - self.mylog.log_change("resrc=fcontext op=modify %s
>>> ftype=%s tcontext=%s:%s:%s:%s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>>> serange))
>>>
>>> def modify(self, target, setype, ftype, serange, seuser):
>>> self.begin() @@ -2030,7 +2030,7 @@ class
>>> fcontextRecords(semanageRecords): self.equiv.pop(target)
>>> self.equal_ind = True
>>>
>>> - self.mylog.log_change("resrc=fcontext
>>> op=delete-equal %s ftype=%s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0),
>>> ftype_to_audit[ftype])) +
>>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>>> (audit.audit_encode_nv_string("tglob", target, 0)))
>>>
>>> return
>>>
>>>
>>
>>
>>
>>
>> _______________________________________________ Selinux mailing
>> list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to
>> Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing
>> "help" to Selinux-request@xxxxxxxxxxxxx.
>>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
