AVC Decision Tree.

Daniel J Walsh dwalsh at redhat.com
Fri Mar 31 17:03:43 UTC 2006


Thorsten Scherf wrote:
> On Thu, 2006-03-30 at 14:51 -0500, Daniel J Walsh wrote:
>   
>> http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
>>
>> Trying to build a analysys tool to be able to translate avc messages 
>> into possible boolean/file_context solutions.
>>
>> The idea is that we can look at the AVC messages that are generated and 
>> figure out what the servers were trying to do.  Then we can give some 
>> advise to the administrator on the corrective measures.  So what we are 
>> looking for are expected code paths where there is a file context of 
>> boolean available.
>>     
>
> Usually if a AVC denied is fixed with a corresponding rule, the next AVC
> comes up in the log (allow getattr, after that ACV:denied read, and so
> on). Probably we don't want to annoy the administrator with several
> pop-ups coming up on his screen.
>
> What do you think about that?
>
>   
Yes the idea would be to continue gathering all of the AVC's while the 
app is running.  I do not believe they will be able
close the window faster than the AVC MEssages.  The app should have a 
disable button built in so that if their is a real labeling problem, it 
will not keep popping up.  So we will have to watch our usability. :^)  
But hopefully there will not be a lot of AVC messages :^)

Dan




More information about the selinux mailing list