-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ken YANG wrote:
Aleksander Adamowski wrote:
> Hi!
>
> I often find myself in a need for a tool that would scan a module's .te
> file and generate the missing requires.
>
> It should determine all the missing requires, for which there are rules
> in that module, in one pass, and present either the missing requires
> only, or the full contents of the require {} section (in the second
> case, it could merge the missing class permissions with any existing
> permissions for given pre-existing classes).
>
> I know that I can use audit2allow to generate the requires for me with
> -r switch, but it has 3 shortcomings:
>
> 1. It dumbly generates requires for all the classes/types/attributes
> it sees - and since it doesn't know anything about intended module
> where the rules will go to, it will probably generate requires for
> types/attributes that are defined in that module. Such require
> output, when blindly pasted into module's source, will generate
> duplicate definition errors.
> 2. It knows nothing about preexisting requires in the target module,
> so it will spit out all of them and one has to remove duplicates
> by hand (e.g. using vi: "'a,'b!sort", then
"'a'b!uniq")
> 3. It won't help me if I write some rules by hand, not based on AVC
> messages.
>
> I think the problem is widespread enough that someone could have written
> a tool for that already - I'd like to know about that before I start
> writing one myself :)
you can ask selinux(a)tycho.nsa.gov, i rememeber there are some works in
upstream similar to your idea.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list THe best idea is to get
rid of gen_requires altogether, and have the
linker/compiler figure it out. This is being worked on in the new
polgen implementation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iD8DBQFGztPGrlYvE4MpobMRAoKKAJ9xYQPOBfo3j0P1nbVbEDNLAzddvwCgqsOA
n7ipNIUbcqyoI0e+lBUTfBE=
=RrkG
-----END PGP SIGNATURE-----