selinux/python/audit2allow
Topi Miettinen 5937e9bd26 audit2allow: CIL output mode
New flag -C for audit2allow sets output format to CIL instead of
Policy Language.

Example:
;============= mozilla_t ==============

;!!!! This avc is allowed in the current policy
(allow mozilla_t user_sudo_t (fd (use)))

;============= user_t ==============

;!!!! This avc can be allowed using the boolean 'allow_execmem'
(allow user_t self (process (execmem)))
(allow user_t chromium_t (process (noatsecure rlimitinh siginh)))

;!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
;Constraint rule:
;       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u1 == unconfined_u -Fail-)  or (u1 == sysadm_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

;       Possible cause is the source user (user_u) and target user (sysadm_u) are different.
(allow user_t user_home_dir_t (dir (getattr relabelto)))

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-03-20 14:18:40 -04:00
..
.gitignore python/audit2allow: make the tests useful again 2019-01-08 10:15:46 +01:00
Makefile Do not automatically install Russian translations 2023-08-16 13:33:47 -04:00
audit2allow audit2allow: CIL output mode 2024-03-20 14:18:40 -04:00
audit2allow.1 audit2allow: CIL output mode 2024-03-20 14:18:40 -04:00
audit2why Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
audit2why.1 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
sepolgen-ifgen python: Harden tools against "rogue" modules 2022-11-09 07:53:27 -05:00
sepolgen-ifgen-attr-helper.c python/audit2allow: close file stream on error 2022-06-15 08:58:54 -04:00
test.log python: add xperms support to audit2allow 2018-06-16 10:36:14 +02:00
test_audit2allow.py python/audit2allow: use local sepolgen-ifgen-attr-helper for tests 2019-01-08 10:15:46 +01:00
test_dummy_policy.cil python/audit2allow: make the tests useful again 2019-01-08 10:15:46 +01:00