From: lvrabec@redhat.com (Lukas Vrabec) Date: Sun, 13 Dec 2015 14:28:05 +0100 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566D0441.8060600@yahoo.com> References: <566D0441.8060600@yahoo.com> Message-ID: <566D7265.6070100@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com HI, On 12/13/2015 06:38 AM, Dan wrote: > Hello all, I am confining the application emacs using the selinux > refpolicy and I seem to be stuck on one little part. I get this one > audit2allow rule that says allow emacs_t user_home_t:file { rename write > create read open }; > > Now my problem with that rule is that I don't want my application to > write or create files with the user_home_t, so I decided to use an > interface. The interfaces I used are these below: > > userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") > > userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir > lnk_file }) > > > > But the problem is when I added these into my policy and when trying to > to an audit2allow on the most recent time and date the denial was still > there for some odd reason and I don't know what interface, macro, or > whatever to use to get rid of the denial allow emacs_t user_home_t:file > { rename write create read open }; Any help would be much appreciated. If I understand this correctly, you are using audit2allow on the same AVC msg, that you used before adding interface? If yes, this is correct audit2allow behavior, because in AVC msg is target context user_home_t not emacs_home_t. So you need to re-create AVC msgs. Regards, Lukas Vrabec. > Thanks. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Lukas Vrabec SELinux Solutions Red Hat, Inc.