"Large legacy application."
I'm running for the nearest exit and getting off the property already.
On July 23, 2021 8:49:25 AM AKDT, Todd Sandor <toddlersandor(a)gmail.com> wrote:
I'm a selinux newbie using RHEL7.9 and I'm in the process of
creating
a "private/application" selinux policy for a
large legacy application.
For some AVCs/denials I've been using the audit2allow to generate some
of the rules/interfaces to resolve the AVCs/denials.
Questions about using the "-R" option to generate the policy rules:
1. What are the risks of using the "-R" option?
Do people use the "interfaces" which the "-R" generates in the
policies deployed in production environments?
When "-R" is used, how does the tool itself determine which
"interface" to use? Is it Linux distribution and release specific so
if we upgrade will it be a problem?
The redhat documentation and man page (and other vendor's
documentation) specify it is a risk to use this tool (see [1][2]).
2. When the "-R" option is not used, separate rules are generated that
do not include "interface" rules.
Is it safe to use the rules audit2allow generates (without "-R") or
are those a risk as well?
3. Any other suggestions for resolving AVCs/denials ?
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2] audit2allow man page
man audit2allow
...
-R | --reference
Generate reference policy using installed macros. This
attempts to match denials against interfaces and may be
inaccurate.
Thanks
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.