selinux April 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: refpolicy is missing on lots of hits with audit2all

Re: refpolicy is missing on lots of hits with audit2allow -R.

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Wed Apr 28 2010 - 15:34:42 GMT
To: Karl MacMillan <kmacmillan@tresys.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2010 10:25 AM, Karl MacMillan wrote:

I understand, although I don't agree with penalizying because you match
on an attribute, Currently if I wrote this interface the way I want,
with just the attribute your algorithm would not find it at all.

files_read_etc_files to me means match all config files in the /etc
directory, just because some random application decides to change the
context of /etc/hostname to etc_runtime_t or net_conf_t, we should not
need to change all domains that are supposed to read generic files in
/etc. Especially when I don't even need to read them.

I would argue that

allow X etc_t:file read;
allow X configfile:file read;

Should be weighted equivalently if etc_t is a configfile or only
slightly heavier, and just because etc_runtime_t or some other random
types are configfile does not mean we need to add weight.

But when the attribute adds more weight then "write" does, I think the
algorithm is broken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYVY4ACgkQrlYvE4MpobOKSgCgguxc5xhYFpW1GGSnN4N+6v/Z
qUsAoOjz7qSp8kiDHBUN2SYoKWsZfTNK
=Ubgb
-----END PGP SIGNATURE-----

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.