5937e9bd26
New flag -C for audit2allow sets output format to CIL instead of
Policy Language.
Example:
;============= mozilla_t ==============
;!!!! This avc is allowed in the current policy
(allow mozilla_t user_sudo_t (fd (use)))
;============= user_t ==============
;!!!! This avc can be allowed using the boolean 'allow_execmem'
(allow user_t self (process (execmem)))
(allow user_t chromium_t (process (noatsecure rlimitinh siginh)))
;!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
;Constraint rule:
; constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u1 == unconfined_u -Fail-) or (u1 == sysadm_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
; Possible cause is the source user (user_u) and target user (sysadm_u) are different.
(allow user_t user_home_dir_t (dir (getattr relabelto)))
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Makefile | ||
| audit2allow | ||
| audit2allow.1 | ||
| audit2why | ||
| audit2why.1 | ||
| sepolgen-ifgen | ||
| sepolgen-ifgen-attr-helper.c | ||
| test.log | ||
| test_audit2allow.py | ||
| test_dummy_policy.cil | ||