AVC Denials on UDEV

Chris Richards gizmo at giz-works.com
Fri Dec 4 22:38:39 UTC 2009 

On 12/02/2009 05:21 PM, Dominick Grift wrote:
>> Ah, but therein seems to lie the rub for me: near as I can tell,
>> there were some major changes made in how the policy is written
>> somewhere around the late May/early June timeframe.  All of the
>> documentation that I can find refers to the new framework, whereas
>> the policy I'm using appears to be based on the old framework.  As a
>> consequence, just about the time I think I'm starting to get a
>> handle on what works how, I run into something that doesn't
>> correspond to what the SELinux docs are telling me.
>>
>> A good is example is refpolicy itself: the policy explained at the
>> tresys site:
>>
>> http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
>>
>> Seems to be rather well thought ought, and reasonably logical and
>> orthoginal.  It also seems to bear little resemblance to what I'm
>> using.  The instructions for the tools that I come across seem to
>> mostly reference things that don't even exist for me, or if they did
>> exist would be absolutely useless to me because they are GUI tools,
>> and my systems don't even have X installed.
>>      
> As far is a know the structure is pretty much the same
>    
There are a good many types, transitions, and helper macros that don't 
seem to exist in the Gentoo policy.

>> I realize that a good deal of this is almost certainly due to the
>> fact that I'm on Gentoo.  I'd much rather be part of the solution
>> than part of the problem, so I want to get to where I can start
>> helping with Gentoo's SELinux implementation, but I'm so blasted
>> confused I don't even rightly know how to start.
>>
>> As I've said previously, Gentoo SEEMS to be using policy and tools
>> from RHEL 4's incarnation of SELinux.  That's all well and good,
>> EXCEPT that the documentation describing the policies and tools
>> seems to have gone wandering, so those of use poor schmucks stuck
>> schlepping through the muck of the previous generation's tools have
>> no clue where we are or where we are going, and since I don't even
>> have the source for the policies that I AM using, I'm stuck with my
>> finger up my nose going "Whuh?"
>>      
> Well i am not sure but it is unlikely like El4. Any open source project should make the source available so it should be somewhere..
>    
Good point.  And pursuing that angle, I have in fact found the source 
for the Gentoo policy.  I'm digging through it now.  Fortunately, the M4 
macro language is pretty simple.  ;)

Later,
Chris

More information about the fedora-selinux-list mailing list