http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
Trying to build a analysys tool to be able to translate avc messages into possible boolean/file_context solutions.
The idea is that we can look at the AVC messages that are generated and figure out what the servers were trying to do. Then we can give some advise to the administrator on the corrective measures. So what we are looking for are expected code paths where there is a file context of boolean available.
Additional suggestions are welcome.
Dan
On Thu, 2006-03-30 at 14:51 -0500, Daniel J Walsh wrote:
http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
Trying to build a analysys tool to be able to translate avc messages into possible boolean/file_context solutions.
The idea is that we can look at the AVC messages that are generated and figure out what the servers were trying to do. Then we can give some advise to the administrator on the corrective measures. So what we are looking for are expected code paths where there is a file context of boolean available.
Usually if a AVC denied is fixed with a corresponding rule, the next AVC comes up in the log (allow getattr, after that ACV:denied read, and so on). Probably we don't want to annoy the administrator with several pop-ups coming up on his screen.
What do you think about that?
Thorsten Scherf wrote:
On Thu, 2006-03-30 at 14:51 -0500, Daniel J Walsh wrote:
http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
Trying to build a analysys tool to be able to translate avc messages into possible boolean/file_context solutions.
The idea is that we can look at the AVC messages that are generated and figure out what the servers were trying to do. Then we can give some advise to the administrator on the corrective measures. So what we are looking for are expected code paths where there is a file context of boolean available.
Usually if a AVC denied is fixed with a corresponding rule, the next AVC comes up in the log (allow getattr, after that ACV:denied read, and so on). Probably we don't want to annoy the administrator with several pop-ups coming up on his screen.
What do you think about that?
Yes the idea would be to continue gathering all of the AVC's while the app is running. I do not believe they will be able close the window faster than the AVC MEssages. The app should have a disable button built in so that if their is a real labeling problem, it will not keep popping up. So we will have to watch our usability. :^) But hopefully there will not be a lot of AVC messages :^)
Dan
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Thorsten Scherf