AVC Denials on UDEV
Chris Richards
gizmo at giz-works.com
Fri Dec 4 22:38:39 UTC 2009
On 12/02/2009 05:21 PM, Dominick Grift wrote:
>> Ah, but therein seems to lie the rub for me: near as I can tell,
>> there were some major changes made in how the policy is written
>> somewhere around the late May/early June timeframe. All of the
>> documentation that I can find refers to the new framework, whereas
>> the policy I'm using appears to be based on the old framework. As a
>> consequence, just about the time I think I'm starting to get a
>> handle on what works how, I run into something that doesn't
>> correspond to what the SELinux docs are telling me.
>>
>> A good is example is refpolicy itself: the policy explained at the
>> tresys site:
>>
>> http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
>>
>> Seems to be rather well thought ought, and reasonably logical and
>> orthoginal. It also seems to bear little resemblance to what I'm
>> using. The instructions for the tools that I come across seem to
>> mostly reference things that don't even exist for me, or if they did
>> exist would be absolutely useless to me because they are GUI tools,
>> and my systems don't even have X installed.
>>
> As far is a know the structure is pretty much the same
>
There are a good many types, transitions, and helper macros that don't
seem to exist in the Gentoo policy.
>> I realize that a good deal of this is almost certainly due to the
>> fact that I'm on Gentoo. I'd much rather be part of the solution
>> than part of the problem, so I want to get to where I can start
>> helping with Gentoo's SELinux implementation, but I'm so blasted
>> confused I don't even rightly know how to start.
>>
>> As I've said previously, Gentoo SEEMS to be using policy and tools
>> from RHEL 4's incarnation of SELinux. That's all well and good,
>> EXCEPT that the documentation describing the policies and tools
>> seems to have gone wandering, so those of use poor schmucks stuck
>> schlepping through the muck of the previous generation's tools have
>> no clue where we are or where we are going, and since I don't even
>> have the source for the policies that I AM using, I'm stuck with my
>> finger up my nose going "Whuh?"
>>
> Well i am not sure but it is unlikely like El4. Any open source project should make the source available so it should be somewhere..
>
Good point. And pursuing that angle, I have in fact found the source
for the Gentoo policy. I'm digging through it now. Fortunately, the M4
macro language is pretty simple. ;)
Later,
Chris
More information about the fedora-selinux-list
mailing list