Debian testing +selinux
Stephen Smalley
sds at tycho.nsa.gov
Mon Jul 23 18:13:45 UTC 2007
On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
> Another question, does doing this audit2allow method sort of mean "I
> have no idea what I'm doing, so allow it all", or is that why it
> caught the hald_t memory portion and said NO, don't do this!
As per the audit2allow man page, you should think through the rules
generated by audit2allow, not just blindly take them.
The neverallow statements aka assertions in the base policy will catch
certain kinds of dangerous access or malformed rules, but are certainly
not exhaustive.
Mapping the low-level allow rules to higher level abstractions is
something you get from using reference policy, if you use the reference
policy interfaces. You might try running audit2allow with the -R option
to try to have it generate calls to reference policy interfaces. What
version of audit2allow are you using?
You may want to try SLIDE for policy writing, as it makes it much easier
to search reference policy interfaces, access the inline documentation,
etc.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list