Debian testing +selinux
Stephen Smalley
sds at tycho.nsa.gov
Tue Jul 24 12:11:30 UTC 2007
On Tue, 2007-07-24 at 10:17 +0800, Ken YANG wrote:
> Stephen Smalley wrote:
> > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
> >> Another question, does doing this audit2allow method sort of mean "I
> >> have no idea what I'm doing, so allow it all", or is that why it
> >> caught the hald_t memory portion and said NO, don't do this!
> >
> > As per the audit2allow man page, you should think through the rules
> > generated by audit2allow, not just blindly take them.
> >
> > The neverallow statements aka assertions in the base policy will catch
> > certain kinds of dangerous access or malformed rules, but are certainly
> > not exhaustive.
>
> with your words, can i think the violated assertion, such as:
>
> assertion on line 0 violated by allow ......
>
> only be introduced by "neverallow" rules? Are there any other rules
> will cause this kind of errors?
Only neverallow rules cause those messages to occur. The "assertion on
line 0" part is a holdover of when this was all done when policy was
compiled from source (versus precompiled loadable modules).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list