Folks, I've been studying audit2allow in order to understand how to
use the sepolgen library, and I've a couple of questions about how the
code is structured and how the manpage is phrased. One concerns
dontaudit (-D), the other concerns refpolicy (-R/-N). I'd appreciate
your reviewing this and setting me straight.
For dontaudit, audit2allow reads
parser.add_option("-D", "--dontaudit", action="store_true",
dest="dontaudit", default=False,
help="generate policy with dontaudit rules")
while audit2allow.1 reads
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: allow)
Since '-D' defaults to false and only sets dontaudit true if present,
shouldn't the man page read
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: False, do not generate dontaudit rules)
???
They may mean the same thing, but the second reading seems clearer to me.
It's a bit muddier for refpolicy-style-output, for which audit2allow reads
parser.add_option("-R", "--reference", action="store_true",
dest="refpolicy",
default=True, help="generate refpolicy style output")
parser.add_option("-N", "--noreference", action="store_false",
dest="refpolicy",
default=False, help="do not generate
refpolicy style output")
The corresponding lines in audit2allow.1 are:
.B "\-N" | "\-\-noreference"
Do not generate reference policy, traditional style allow rules.
This is the default behavior.
.B "\-R" | "\-\-reference"
Generate reference policy using installed macros.
This attempts to match denials against interfaces and may be inaccurate.
Since both -R and -N set refpolicy, the only way I can make sense of
this is if defining the '-N' option *after* the definition of '-R'
overrides refpolicy as set by -R. That seems reasonable to me, but I
wanted to confirm. It might make it clearer if the -R option had a
default of false, as in
parser.add_option("-R", "--reference", action="store_true",
dest="refpolicy",
default=False, help="generate refpolicy style output")
In other words, leave -R out, and default to the -N behaviour.
Since -R and -N are opposites, would it make sense to make them
mutually exclusive?
refPolOpt = parser.add_mutually_exclusive_group()
refPolOpt.add_option("-R", "--reference", action="store_true",
dest="refpolicy",
default=False, help="generate refpolicy style output")
refPolOpt.add_option("-N", "--noreference",
action="store_false", dest="refpolicy",
default=False, help="do not generate
refpolicy style output")
This would make it clearer that only one of these options should be
provided and that only -R changes default behaviour.
Thoughts?
Thanks,
P
Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP
