AVC Decision Tree.

Thorsten Scherf tscherf at redhat.com
Fri Mar 31 09:44:25 UTC 2006


On Thu, 2006-03-30 at 14:51 -0500, Daniel J Walsh wrote:
> http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
> 
> Trying to build a analysys tool to be able to translate avc messages 
> into possible boolean/file_context solutions.
> 
> The idea is that we can look at the AVC messages that are generated and 
> figure out what the servers were trying to do.  Then we can give some 
> advise to the administrator on the corrective measures.  So what we are 
> looking for are expected code paths where there is a file context of 
> boolean available.

Usually if a AVC denied is fixed with a corresponding rule, the next AVC
comes up in the log (allow getattr, after that ACV:denied read, and so
on). Probably we don't want to annoy the administrator with several
pop-ups coming up on his screen.

What do you think about that?

-- 
Thorsten Scherf, RHCE, RHCA, RHCSS       Mobile: ++49 172 61 32 548
Red Hat GLS EMEA                         Fax: ++49 2064 470 564
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060331/0bc98898/attachment.sig>


More information about the fedora-selinux-list mailing list