Debian testing +selinux

Ken YANG spng.yang at
Tue Jul 24 02:17:48 UTC 2007

Stephen Smalley wrote:
> On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
>> Another question, does doing this audit2allow method sort of mean "I
>> have no idea what I'm doing, so allow it all", or is that why  it
>> caught the hald_t memory portion and said NO, don't do this! 
> As per the audit2allow man page, you should think through the rules
> generated by audit2allow, not just blindly take them.
> The neverallow statements aka assertions in the base policy will catch
> certain kinds of dangerous access or malformed rules, but are certainly
> not exhaustive.

with your words, can i think the violated assertion, such as:

assertion on line 0 violated by allow ......

only be introduced by "neverallow" rules? Are there any other rules
will cause this kind of errors?

> Mapping the low-level allow rules to higher level abstractions is
> something you get from using reference policy, if you use the reference
> policy interfaces.  You might try running audit2allow with the -R option
> to try to have it generate calls to reference policy interfaces.  What
> version of audit2allow are you using?
> You may want to try SLIDE for policy writing, as it makes it much easier
> to search reference policy interfaces, access the inline documentation,
> etc.

More information about the fedora-selinux-list mailing list