* [refpolicy] [RFC] Need for read_policy to use audit2allow?
@ 2013-11-04 21:42 Sven Vermeulen
2013-11-07 14:07 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2013-11-04 21:42 UTC (permalink / raw
To: refpolicy
Hi guys
I'm testing out the new userspace release and am now seemingly in need for
the read_policy permission (security class) when I want to use audit2allow.
The audit2allow command doesn't give any errors, it just doesn't display
anything beyond a module header. In the AVC logs I have something like this:
type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=security
If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
then audit2allow functions properly again.
With the previous userspace release I do not seem to need this, nor is
audit2allow running in any domain other than the one called by.
Is this expected behavior (considering it is a security class, I thought I
better ask)?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [RFC] Need for read_policy to use audit2allow?
2013-11-04 21:42 [refpolicy] [RFC] Need for read_policy to use audit2allow? Sven Vermeulen
@ 2013-11-07 14:07 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2013-11-07 14:07 UTC (permalink / raw
To: refpolicy
On 11/04/13 16:42, Sven Vermeulen wrote:
> Hi guys
>
> I'm testing out the new userspace release and am now seemingly in need for
> the read_policy permission (security class) when I want to use audit2allow.
>
> The audit2allow command doesn't give any errors, it just doesn't display
> anything beyond a module header. In the AVC logs I have something like this:
>
> type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
> pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=security
>
> If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
> then audit2allow functions properly again.
>
> With the previous userspace release I do not seem to need this, nor is
> audit2allow running in any domain other than the one called by.
>
> Is this expected behavior (considering it is a security class, I thought I
> better ask)?
The permission means it's looking at /sys/fs/selinux/policy. I assume the behavior has been changed to look at that instead of looking at the policy.2x on disk, so it knows for certain its looking at the current policy. However, I haven't had a chance to dig through all of the Fedora patches that have been committed to the userspace tools yet, to confirm.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-07 14:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-04 21:42 [refpolicy] [RFC] Need for read_policy to use audit2allow? Sven Vermeulen
2013-11-07 14:07 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.