total newbie audit2allow question
Dominick Grift
dominick.grift at gmail.com
Wed Apr 17 17:01:43 UTC 2013
On Wed, 2013-04-17 at 09:12 -0600, Richard Greenwood wrote:
>
>
> Thank you for the detail explanations and blog post. I'm not really
> having a problem with my CGI app, nor am I trying to create a custom
> type. I'm just trying to get a better understanding of SELinux
> generally, and specifically what policies audit2allow is creating.
> Your answers have gotten me a little closer.
>
audit2allow is just translating AVC denials into type enforcement policy
rules. e.g. picking out the source type, target type, target object
class and permission(s). Then it just prepends that with either allow or
dontaudit access vector depending on what you tell it to do (thats a
audit2allow option, defaults to allow)
example:
allow source_type target_type:target_object_class { permissions };
it is very limited. It can only do basic type enforcement translation
and it cannot make security decisions (for example decide whether to
create a file with a inherited file type or to create it with a type
transition. Similarly it cannot decide whether to just run a executable
file or run it with a domain type transition) It always just does the
former.
More information about the selinux
mailing list