Re: [Fwd: policycoreutils patches]

[Karl MacMillan <kmacmillan@mentalrootkit.com>]

On Fri, 2007-04-13 at 14:43 -0400, Stephen Smalley wrote:
> On Fri, 2007-04-13 at 11:17 -0400, Karl MacMillan wrote:
> > On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
> > > On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> > > > Stephen Smalley wrote:
> > > > > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> > > > >   
> > > > >> Moved audit2allow to sbin to match audit2why.
> > > > >>     
> > > > >
> > > > > (one patch per message would be nicer)
> > > > >
> > > > > I actually don't like having so many of the programs in /sbin
> > > > > or /usr/sbin, as they aren't in normal user paths and make it more
> > > > > painful to find the commands.  And moving them can cause user confusion
> > > > > and/or script breakage.  
> > > > >
> > > > >   
> > > > Then for consistency we should move audit2why to the same directory as 
> > > > audit2allow.
> > > 
> > > My real preference would be that the audit2why functionality would be
> > > replicated (and improved) in sepolgen, and audit2allow would directly
> > > use that functionality to identify the cause of the denial as part of
> > > generating policy.  Then audit2allow could directly generate refpolicy
> > > interface calls to e.g. add an attribute to a domain so that it passes
> > > some constraint, or generate a role allow rule.  auditwhy in its current
> > > form is really only to help you; it isn't very useful for end users
> > > (doesn't provide enough information).
> > > 
> > 
> > I would like to see that as well. We have also discussed moving the
> > setroubleshoot plugins into sepolgen to gain broader review and improved
> > maintenance. The current audit2why only provides part of the picture (as
> > you say), we really want to start telling users when they should relabel
> > a file, flib a boolean, or take some action _other_ than allowing the
> > access via allow rules of refpolicy interfaces.
> 
> Yes, although I'm not sure the heuristic/plugin model is the right one.
> Given the right support in libsepol, audit2allow/sepolgen should be able
> to search the conditional avtab for conditional rules that would have
> allowed the access and discover the right boolean directly from policy.
> For file labeling, it might be able to probe what types are accessible
> to the domain in question, and try to propose one.
> 

That's certainly true and I plan to explore those approaches. There are
times, however, when the heuristics might give better explanations. So I
think that we should plan to work on this functionality and import
setroubleshoot plugins as needed. I'll work with John (the
setroubleshoot author) to move over to using sepolgen at the right time.

Karl



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.