2018-06-12 11:06 GMT+02:00 Jan Zarsky <jzarsky@xxxxxxxxxx>:
> Add support for extended permissions to audit2allow. Extend AuditParser
> to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
> generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
> to turn on generating of extended permission AV rules.
>
> AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
> converts the ioctlcmd values into generic representation of extended
> permissions that is stored in access vectors.
>
> Extended permissions are represented by operations (currently only
> 'ioctl') and values associated to the operations. Values (for example
> '~{ 0x42 1234 23-34 }') are stored in the XpermSet class.
>
> PolicyGenerator contains new method to turn on generating of xperms.
> When turned on, for each access vector, standard AV rule and possibly
> several xperm AV rules are generated. Xperm AV rules are represented by
> the AVExtRule class.
>
> With xperm generating turned off, PolicyGenerator provides comments
> about extended permissions in certain situations. When the AVC message
> contains the ioctlcmd field and the access would be allowed according to
> the policy, PolicyGenerator warns about xperm rules being the possible
> cause of the denial.
>
> Signed-off-by: Jan Zarsky <jzarsky@xxxxxxxxxx>
> ---
>
> V2 fixes two whitespace issues, in audit.py uses 'except ValueError'
> instead of bare except, and fixes typo in error message in policygen.py
Thanks. I have applied your three patches.
Nicolas
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
