Aleksander Adamowski wrote:
Hi!
I often find myself in a need for a tool that would scan a module's .te
file and generate the missing requires.
It should determine all the missing requires, for which there are rules
in that module, in one pass, and present either the missing requires
only, or the full contents of the require {} section (in the second
case, it could merge the missing class permissions with any existing
permissions for given pre-existing classes).
I know that I can use audit2allow to generate the requires for me with
-r switch, but it has 3 shortcomings:
1. It dumbly generates requires for all the classes/types/attributes
it sees - and since it doesn't know anything about intended module
where the rules will go to, it will probably generate requires for
types/attributes that are defined in that module. Such require
output, when blindly pasted into module's source, will generate
duplicate definition errors.
2. It knows nothing about preexisting requires in the target module,
so it will spit out all of them and one has to remove duplicates
by hand (e.g. using vi: "'a,'b!sort", then
"'a'b!uniq")
3. It won't help me if I write some rules by hand, not based on AVC
messages.
I think the problem is widespread enough that someone could have written
a tool for that already - I'd like to know about that before I start
writing one myself :)
you can ask selinux(a)tycho.nsa.gov, i rememeber there are some works in
upstream similar to your idea.