From: ossman@cendio.se (Pierre Ossman) Date: Wed, 10 Sep 2014 11:05:59 +0200 Subject: [refpolicy] write AVC on access()? In-Reply-To: <20140908092324.1bc7b98a@ossman.lkpg.cendio.se> References: <20140908092324.1bc7b98a@ossman.lkpg.cendio.se> Message-ID: <20140910110559.59739bd6@ossman.lkpg.cendio.se> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Dominick Grift wrote: > A rule like this should do it: > > dontaudit cupsd_t usr_t:file audit_access; Thanks. That seems to be the correct approach for systems modern enough to have audit_access. But I want to support older versions as well, and figured that I'd be able to do so with an 'optional' section. Yet this: > optional_policy(` > gen_require(` > type cupsd_t; > class file { audit_access }; > ') > > dontaudit cupsd_t etc_t:file audit_access; > ') Still results in: > libsepol.permission_copy_callback: Module thinlinc depends on permission audit_access in class file, not satisfied (No such file or directory). And if I leave it out of the require section: > optional_policy(` > gen_require(` > type cupsd_t; > ') > dontaudit cupsd_t etc_t:file audit_access; > ') I get this: > thinlinc.te":167:ERROR 'permission audit_access is not defined for class file' at token ';' on line 38285: > #line 167 > dontaudit cupsd_t etc_t:file audit_access; So I utterly fail to understand what 'optional' actually does. Is missing types the only thing it can check for? Rgds -- Pierre Ossman Software Development Cendio AB http://cendio.com Teknikringen 8 http://twitter.com/ThinLinc 583 30 Link?ping http://facebook.com/ThinLinc Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140910/6cc6beaa/attachment.bin