Debian testing +selinux
Ken YANG
spng.yang at gmail.com
Tue Jul 24 02:17:48 UTC 2007
Stephen Smalley wrote:
> On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
>> Another question, does doing this audit2allow method sort of mean "I
>> have no idea what I'm doing, so allow it all", or is that why it
>> caught the hald_t memory portion and said NO, don't do this!
>
> As per the audit2allow man page, you should think through the rules
> generated by audit2allow, not just blindly take them.
>
> The neverallow statements aka assertions in the base policy will catch
> certain kinds of dangerous access or malformed rules, but are certainly
> not exhaustive.
with your words, can i think the violated assertion, such as:
assertion on line 0 violated by allow ......
only be introduced by "neverallow" rules? Are there any other rules
will cause this kind of errors?
>
> Mapping the low-level allow rules to higher level abstractions is
> something you get from using reference policy, if you use the reference
> policy interfaces. You might try running audit2allow with the -R option
> to try to have it generate calls to reference policy interfaces. What
> version of audit2allow are you using?
>
> You may want to try SLIDE for policy writing, as it makes it much easier
> to search reference policy interfaces, access the inline documentation,
> etc.
>
More information about the fedora-selinux-list
mailing list