Peter Whittaker <pww@xxxxxxxxxxxx> writes:
> Folks, I've been studying audit2allow in order to understand how to
> use the sepolgen library, and I've a couple of questions about how the
> code is structured and how the manpage is phrased. One concerns
> dontaudit (-D), the other concerns refpolicy (-R/-N). I'd appreciate
> your reviewing this and setting me straight.
>
> For dontaudit, audit2allow reads
>
> parser.add_option("-D", "--dontaudit", action="store_true",
> dest="dontaudit", default=False,
> help="generate policy with dontaudit rules")
>
> while audit2allow.1 reads
>
> .B "\-D" | "\-\-dontaudit"
> Generate dontaudit rules (Default: allow)
>
> Since '-D' defaults to false and only sets dontaudit true if present,
> shouldn't the man page read
>
> .B "\-D" | "\-\-dontaudit"
> Generate dontaudit rules (Default: False, do not generate dontaudit rules)
>
> ???
>
> They may mean the same thing, but the second reading seems clearer to me.
>
> It's a bit muddier for refpolicy-style-output, for which audit2allow reads
>
> parser.add_option("-R", "--reference", action="store_true",
> dest="refpolicy",
> default=True, help="generate refpolicy style output")
> parser.add_option("-N", "--noreference", action="store_false",
> dest="refpolicy",
> default=False, help="do not generate
> refpolicy style output")
>
> The corresponding lines in audit2allow.1 are:
>
> .B "\-N" | "\-\-noreference"
> Do not generate reference policy, traditional style allow rules.
> This is the default behavior.
>
> .B "\-R" | "\-\-reference"
> Generate reference policy using installed macros.
> This attempts to match denials against interfaces and may be inaccurate.
>
> Since both -R and -N set refpolicy, the only way I can make sense of
> this is if defining the '-N' option *after* the definition of '-R'
> overrides refpolicy as set by -R. That seems reasonable to me, but I
> wanted to confirm. It might make it clearer if the -R option had a
> default of false, as in
>
> parser.add_option("-R", "--reference", action="store_true",
> dest="refpolicy",
> default=False, help="generate refpolicy style output")
>
> In other words, leave -R out, and default to the -N behaviour.
>
> Since -R and -N are opposites, would it make sense to make them
> mutually exclusive?
>
> refPolOpt = parser.add_mutually_exclusive_group()
> refPolOpt.add_option("-R", "--reference", action="store_true",
> dest="refpolicy",
> default=False, help="generate refpolicy style output")
> refPolOpt.add_option("-N", "--noreference",
> action="store_false", dest="refpolicy",
> default=False, help="do not generate
> refpolicy style output")
>
> This would make it clearer that only one of these options should be
> provided and that only -R changes default behaviour.
>
> Thoughts?
I think that would probably be an improvement. The reference policy
specific option (-M) should probably be removed in my view.
>
> Thanks,
>
> P
>
> Peter Whittaker
> EdgeKeep Inc.
> www.edgekeep.com
> +1 613 864 5337
> +1 613 864 KEEP
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
