From: Daniel J Walsh <dwalsh@redhat.com>
To: Dominick Grift <dominick.grift@gmail.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: Allow audit2allow to return constraint information from policy
Date: Thu, 24 Oct 2013 12:40:43 -0400 [thread overview]
Message-ID: <52694D8B.3050705@redhat.com> (raw)
In-Reply-To: <1382630560.3041.150.camel@d30>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/24/2013 12:02 PM, Dominick Grift wrote:
> On Thu, 2013-10-24 at 09:28 -0400, Daniel J Walsh wrote:
>> At the end of last year I was complaining about audit2allow and the
>> SELinux tools chain not being able to give better information about what
>> constraint is being violated, so a admin or policy writer could have a
>> clue on how to fix the problem.
>>
>> A fairly common problem is domains trying to change the role or user
>> component of the label. Or in the MCS and MLS world, what attribute do I
>> need to add to my policy to allow the AVC.
>>
>> Richard Haines wrote some nice patches to add the constraint information
>> to the kernel and to change user space to reveal this information.
>>
>> Sadly we thought these discussions had happened on the list, but I guess
>> we had taken it private. Here is the userspace patch to reveal this
>> information.
>>
>> The kernel team will be posting the kernel patch hopefully soon. We
>> believe that even though the kernel does not need the additional
>> information about the constraint, the limited space required to carry
>> this information makes sense.
>>
>
>
> Can we though make that information opt-in
>
> I think it annoying that when i run audit2allow my screen gets filled with
> all kinds of information i am not interested in
>
> I could find a option to get rid of the noise
>
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
Well I think it should be opt out.
You could easily make a script to do this, something like:
audit2allow $@ | grep ^allow
But it is something I would like to add.
audit2allow -q
Or something like that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJpTYsACgkQrlYvE4MpobOnwACfeTrGTGApAl16dUInFwydpa7M
qfYAniJOtt5Yq2hAHgCMgOKH+MriOwj7
=g/bx
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-10-24 16:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-24 13:28 Allow audit2allow to return constraint information from policy Daniel J Walsh
2013-10-24 16:02 ` Dominick Grift
2013-10-24 16:40 ` Daniel J Walsh [this message]
2013-10-25 17:35 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52694D8B.3050705@redhat.com \
--to=dwalsh@redhat.com \
--cc=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.