From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Cliffe <cliffe@ii.net>, selinux@tycho.nsa.gov, slide@tresys.com
Subject: Re: Help with SELinux policy for Usability Study
Date: Thu, 30 Jul 2009 13:30:54 -0400 [thread overview]
Message-ID: <4A71D8CE.1010700@redhat.com> (raw)
In-Reply-To: <1248965089.11627.137.camel@moss-pluto.epoch.ncsc.mil>
On 07/30/2009 10:44 AM, Stephen Smalley wrote:
> On Thu, 2009-07-30 at 22:24 +0800, Cliffe wrote:
>> It adds the permissive line to both (I am not sure why kwrite seemed
>> to be in enforcing mode). But the gui does not make this clear. I have
>> mentioned this to the fedora-selinux mailing list.
>
> Perhaps kwrite isn't actually running in kwrite_t at all. Note that kde
> has historically had a problem with launching all applications via a
> single kde-init program, thereby preventing automatic domain transitions
> on the specific application from working. Not sure if that has been
> fixed. I don't use KDE.
>
>> None there. It turns out they were in /var/log/messages
>>
>> so
>> grep kwrite /var/log/audit/audit.log | audit2allow >> kwrite.te
>> did the trick. It is strange that some AVCs go to /var/log/messages
>> while others goto
>> /var/log/audit/audit.log
>
> That seems like a bug to me in dbus.
>
> Again, I'd suggest that you also include SLIDE in your study - it will
> add a further data point and is a more flexible solution, even if it may
> be slightly harder to get started.
>
BTW, if you use the sepolgen command line that is in F11 and Rawhide, it has new features to examine the executable and rpm information to generate more data automatigically. It is using the same framework that polgengui is using.
You can execute
sepolgen /usr/sbin/myapp
And it will generate the myapp,te, if, fc, sh file automatically, No gui to walk though.
For example it will look for paths in the rpm that match /var/run/myapp, /var/lib/myapp ... and create proper types.
It also runs nm -D /usr/sbin/myapp looking for function calls that it knows require certain interfaces, If it find syslog it will add the
logging_send_syslog_msg(myapp_t)
call.
I have not merged this stuff back into the GUI yet.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-07-30 17:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200907300352.n6U3qvAC012682@tarius.tycho.ncsc.mil>
2009-07-30 3:50 ` Help with SELinux policy for Usability Study Cliffe
2009-07-30 12:02 ` Stephen Smalley
2009-07-30 14:24 ` Cliffe
2009-07-30 14:31 ` Cliffe
2009-07-30 14:44 ` Stephen Smalley
2009-07-30 17:30 ` Daniel J Walsh [this message]
2009-07-31 1:57 ` Cliffe
2009-07-31 12:40 ` Daniel J Walsh
2009-08-01 4:15 ` Cliffe
2009-07-30 17:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A71D8CE.1010700@redhat.com \
--to=dwalsh@redhat.com \
--cc=cliffe@ii.net \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=slide@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.