Debian testing +selinux

Stephen Smalley sds at
Tue Jul 24 12:11:30 UTC 2007

On Tue, 2007-07-24 at 10:17 +0800, Ken YANG wrote:
> Stephen Smalley wrote:
> > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
> >> Another question, does doing this audit2allow method sort of mean "I
> >> have no idea what I'm doing, so allow it all", or is that why  it
> >> caught the hald_t memory portion and said NO, don't do this! 
> > 
> > As per the audit2allow man page, you should think through the rules
> > generated by audit2allow, not just blindly take them.
> > 
> > The neverallow statements aka assertions in the base policy will catch
> > certain kinds of dangerous access or malformed rules, but are certainly
> > not exhaustive.
> with your words, can i think the violated assertion, such as:
> assertion on line 0 violated by allow ......
> only be introduced by "neverallow" rules? Are there any other rules
> will cause this kind of errors?

Only neverallow rules cause those messages to occur.  The "assertion on
line 0" part is a holdover of when this was all done when policy was
compiled from source (versus precompiled loadable modules).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list