Anyway, could we have this patch applied and sort out a better way
of supplying defaults later please?
Thanks,
/M
On Mon, Aug 15, 2016 at 8:33 AM, Miroslav Vadkerti <mvadkert@xxxxxxxxxx> wrote:
On 08/12/2016 10:22 AM, Dominick Grift wrote:
> On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
>> For modify action actually audit the selinux type, i.e. use
>> setype variable.
>>
>> For deleting equal fcontext rules do not audit ftype, as the
>> ftype value for equal rules makes little sense.
>>
>> Signed-off-by: Miroslav Vadkerti <mvadkert@xxxxxxxxxx> ---
>> policycoreutils/semanage/seobject.py | 4 ++-- 1 file changed, 2 Yes, that's pre-existing though (not added by this patch), and
>> insertions(+), 2 deletions(-)
>>
>> diff --git a/policycoreutils/semanage/seobject.py
>> b/policycoreutils/semanage/seobject.py index 786ed0e..8d3088c
>> 100644 --- a/policycoreutils/semanage/seobject.py +++
>> b/policycoreutils/semanage/seobject.py @@ -1992,7 +1992,7 @@
>> class fcontextRecords(semanageRecords): if not seuser: seuser =
>> "system_u"
>
> system_u is reference policy specific. this is selinux user space
> not reference policy user space.
unfortunately pervasive throughout seobject.py.
I guess we'll need to decide how to provide this information so that
it doesn't have to be hardcoded in seobject.py, e.g. yet another
policy configuration file with default values for each security
context field?The same issue might apply for serange, which alsocan be an empty string and thus gets audited badlyif not some default value.
>
>>
>> - self.mylog.log_change("resrc=fcontext op=modify %s > ______________________________
>> ftype=%s tcontext=%s:%s:%s:%s" %
>> (audit.audit_encode_nv_string("tglob", target, 0),
>> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>> self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
>> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob",
>> target, 0), ftype_to_audit[ftype], seuser, "object_r", setype,
>> serange))
>>
>> def modify(self, target, setype, ftype, serange, seuser):
>> self.begin() @@ -2030,7 +2030,7 @@ class
>> fcontextRecords(semanageRecords): self.equiv.pop(target)
>> self.equal_ind = True
>>
>> - self.mylog.log_change("resrc=fcontext
>> op=delete-equal %s ftype=%s" %
>> (audit.audit_encode_nv_string("tglob", target, 0),
>> ftype_to_audit[ftype])) +
>> self.mylog.log_change("resrc=fcontext op=delete-equal %s" %
>> (audit.audit_encode_nv_string("tglob", target, 0)))
>>
>> return
>>
>>
>
>
>
>
_________________ Selinux mailing
> list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to
> Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing
> "help" to Selinux-request@xxxxxxxxxxxxx.
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE SecurityIRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
