refpolicy interfaces (was RE: httpd can't send mails)

David Caplan dac at
Wed Jul 4 14:35:50 UTC 2007

> From: Shintaro Fujiwara [mailto:shin216 at]
[text cut]
> As a matter of fact, I printed every interfaces and felt at a loss,
> because of its thickness.

Yes, not a good idea. :)

> In what page or Software can I find those defined interfaces ?

SLIDE has multiple features that can help you find interfaces. Its
default configuration brings up an Interfaces window on the right side.
The interfaces are grouped by layer (e.g., kernel, services, apps, etc.)
and then by module. If you left click on an interface name, SLIDE shows
you the policy source for the interface in the Declaration tabbed window
at the bottom. You do need to understand the convention used for
interface names and have a general idea of where an interface might be

SLIDE gives you interface completion in the module editing window when
you type <Ctrl><space>. The completion pop-up shows initial matches in
module names up until the first underscore, '_'. For example, if I type
"core" and hit <Ctrl><space>, SLIDE will show me the possible
completions are "corecommands" and "corenetworks", and it will show me a
summary comment for each one. If I pick "corecommands" SLIDE completes
the first part of the interface, "corecmd_", and then it will show all
of the interfaces that start with "corecmd_" and short descriptions of
each one. I select which interface I want, let's say
"corecmd_bin_domtrans", and SLIDE pastes the full name in with "()" and
shows a hint about what arguments are required for the interface (in
this case it shows, "domain, target_domain"). You can also press
<Ctrl><Shift><space> between the parentheses to see the parameter popup

The descriptions are only as complete as the authors made them. The
general format of interfaces and syntax conventions can be found on the
Reference Policy pages, <>, and
I'm sure Chris PeBenito would welcome any Reference Policy patches that
expand the interface documentation. SLIDE,
<> has plenty of documentation and
we would welcome any suggestions.

> I once wrote such a software named segatex...
> Why audit2allow is just echoing raw access vectors and not interfaces

It is a simple tool designed to make it easy for people whose main
objective is to get their application working. It is useful in providing
a quick summary of the denials in the logs, but if you're trying to
develop a strict policy you should not simply accept the output of
audit2allow as your policy.

> I think if audit2allow has such an option, it would be more convenient
> and rewarding.

I believe that is Karl's objective with Madison/sepolgen. Matching an
appropriate interface is not an easy problem. 

Even if you have a tool that can suggest the appropriate interface you
still need to consider if the access is really required (quite often
applications ask for access they don't really need) and, if so, if you
should allow the access or fix the application.

> Maybe I should rewrite my own program this
> summer,though.
> Or are there other project doing the same thing?
> Karl's project?
>    my homepage
> Officer,System-Information,Signal School, JGSDF

More information about the fedora-selinux-list mailing list