On Fri, Nov 11, 2016 at 9:59 AM, Dominick Grift <dac.override@xxxxxxxxx> wrote:
>> Specifically, the following dontaudit rule is in that file:
>>
>> dontaudit su self:capability_class_set *;
>>
>> which expands out to:
>>
>> dontaudit su self:{ capability capability2 } *;
>>
>
> That should not work. AFAIK you cannot use the "*" with two different
> classes
>
> you would need to
>
> dontaudit su self:capability *;
> dontaudit su self:capability2 *;
>
> Maybe the other policy "bullhead" does not have the invalid
> dontaudit su self:capability_class_set *; rule
They both have the same "dontaudit su self:capability_class_set *"
statements, yet one compiles differently than the other.
nnk@nick:~$ wget -q http://kralevich.com/bullhead.policy.conf
nnk@nick:~$ wget -q http://kralevich.com/marlin.policy.conf
nnk@nick:~$ grep "dontaudit su" bullhead.policy.conf
marlin.policy.conf | grep capability
bullhead.policy.conf: dontaudit su self:{ capability capability2 } *;
marlin.policy.conf: dontaudit su self:{ capability capability2 } *;
And changing from
dontaudit su self:{ capability capability2 } *;
to
dontaudit su self:capability *;
dontaudit su self:capability2 *;
has no effect and the policy continues to not pick up the neverallow rules.
-- Nick
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
