selinux April 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: refpolicy is missing on lots of hits with audit2all

Re: refpolicy is missing on lots of hits with audit2allow -R.

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Wed Apr 28 2010 - 15:34:42 GMT
To: Karl MacMillan <>

Hash: SHA1

On 04/28/2010 10:25 AM, Karl MacMillan wrote:

I understand, although I don't agree with penalizying because you match
on an attribute, Currently if I wrote this interface the way I want,
with just the attribute your algorithm would not find it at all.

files_read_etc_files to me means match all config files in the /etc
directory, just because some random application decides to change the
context of /etc/hostname to etc_runtime_t or net_conf_t, we should not
need to change all domains that are supposed to read generic files in
/etc. Especially when I don't even need to read them.

I would argue that

allow X etc_t:file read;
allow X configfile:file read;

Should be weighted equivalently if etc_t is a configfile or only
slightly heavier, and just because etc_runtime_t or some other random
types are configfile does not mean we need to add weight.

But when the attribute adds more weight then "write" does, I think the
algorithm is broken.
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -


-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.