From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SE Linux <selinux@tycho.nsa.gov>, Karl MacMillan <kmacmillan@tresys.com>
Subject: Re: Busted by constraints.
Date: Thu, 12 May 2005 10:46:36 -0400 [thread overview]
Message-ID: <42836C4C.6010301@redhat.com> (raw)
In-Reply-To: <1115908243.32202.114.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
>On Thu, 2005-05-12 at 10:32 -0400, Daniel J Walsh wrote:
>
>
>>Auditing of constraint failures sucks. We are putting out incorrect
>>error messages. Or at least not informative enough to help the
>>user/policy writer to figure out what is wrong.
>>
>>Yesterday, Another engineer and I spent a lot of time trying to figure
>>out why setfscreatecon was failing. The only indication was the the
>>application was not allowed to created a directory. Of course the allow
>>rule was present in the policy. Eventually we figured out we needed
>>the privowner priv to get by a constraint. Shouldn't the kernel be
>>reporting a constraint failure. Isn't this going to become a lot more
>>important with MLS?
>>
>>
>
>The AVC just sees that a given permission was denied, not what component
>of the policy engine denied it. See "Flask architecture", "policy-
>flexibility", ...
>
>But nothing prevents you from creating a simple tool linked against
>libsepol that takes an avc denial and determines which part of the
>policy caused it. I'd expect that to be part of an audit analysis tool
>like seaudit, not a change to the kernel.
>
>
>
Well I would have no idea how to do it, but it is going to be
increasingly needed
as constraints grow.
Something to tell me the failure is caused by a missing role or
constraint would be great.
audit2why :^)
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-05-12 14:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-12 14:32 Busted by constraints Daniel J Walsh
2005-05-12 14:30 ` Stephen Smalley
2005-05-12 14:46 ` Daniel J Walsh [this message]
2005-05-13 15:00 ` Stephen Smalley
2005-05-13 19:30 ` Stephen Smalley
2005-05-13 20:00 ` Stephen Smalley
2005-05-16 18:44 ` Stephen Smalley
2005-05-16 22:00 ` Daniel J Walsh
2005-05-17 11:39 ` Stephen Smalley
2005-05-17 11:50 ` Stephen Smalley
2005-05-17 12:41 ` Daniel J Walsh
2005-05-17 12:05 ` Stephen Smalley
2005-05-13 15:35 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2005-05-12 20:37 Casey Schaufler
2005-05-13 11:16 ` Stephen Smalley
2005-05-13 15:10 Casey Schaufler
2005-05-13 15:20 ` Stephen Smalley
2005-05-13 15:56 Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42836C4C.6010301@redhat.com \
--to=dwalsh@redhat.com \
--cc=kmacmillan@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.