[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: refpolicy is missing on lots of hits with audit2allow -R.
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2010-05-13 19:37:25
Message-ID: 1273779445.23026.219.camel () moss-pluto ! epoch ! ncsc ! mil
[Download RAW message or body]

On Wed, 2010-04-21 at 21:53 -0400, Karl MacMillan wrote:
> The
> attached patch adds attribute handling to sepolgen. It's only lightly
> tested but I wanted you to get it sooner rather than later.

Evidently this patch has made its way into F-13 and RHEL-6, although it
is still not upstream.

Some concerns/questions:
- This creates a dependency of sepolgen-ifgen on a specific policy.
Previously it was only dependent on the headers.  But this will mean
that the data generated by sepolgen-ifgen and used by sepolgen could
easily differ for targeted vs mls even if they use the same headers.  Do
we need per-policy data directories for sepolgen?

- It should be possible to load a specified policy file rather than
always using the active one.

- You are using the latest policy version supported by the kernel rather
than the one supported by libsepol.  See audit2why.c or load_policy.c in
libselinux to see how they determine the right policy version to use by
default.  Otherwise this will break when we have divergence between the
libsepol and kernel supported policy versions (i.e. whenever we next
introduce a new policy version).

- This creates another user of the static libsepol.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]