Re: A tool to generate missing requires for a SELinux module?

Aleksander Adamowski wrote: > Hi! > > I often find myself in a need for a tool that would scan a module's .te > file and generate the missing requires. > > It should determine all the missing requires, for which there are rules > in that module, in one pass, and present either the missing requires > only, or the full contents of the require {} section (in the second > case, it could merge the missing class permissions with any existing > permissions for given pre-existing classes). > > I know that I can use audit2allow to generate the requires for me with > -r switch, but it has 3 shortcomings: > > 1. It dumbly generates requires for all the classes/types/attributes > it sees - and since it doesn't know anything about intended module > where the rules will go to, it will probably generate requires for > types/attributes that are defined in that module. Such require > output, when blindly pasted into module's source, will generate > duplicate definition errors. > 2. It knows nothing about preexisting requires in the target module, > so it will spit out all of them and one has to remove duplicates > by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq") > 3. It won't help me if I write some rules by hand, not based on AVC > messages. > > I think the problem is widespread enough that someone could have written > a tool for that already - I'd like to know about that before I start > writing one myself :) you can ask selinux(a)tycho.nsa.gov, i rememeber there are some works in upstream similar to your idea. -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztPGrlYvE4MpobMRAoKKAJ9xYQPOBfo3j0P1nbVbEDNLAzddvwCgqsOA n7ipNIUbcqyoI0e+lBUTfBE= =RrkG -----END PGP SIGNATURE-----