From: lvrabec@redhat.com (Lukas Vrabec)
Date: Sun, 13 Dec 2015 14:28:05 +0100
Subject: [refpolicy] refpolicy interface help
In-Reply-To: <566D0441.8060600@yahoo.com>
References: <566D0441.8060600@yahoo.com>
Message-ID: <566D7265.6070100@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

HI,

On 12/13/2015 06:38 AM, Dan wrote:
> Hello all, I am confining the application emacs using the selinux
> refpolicy and I seem to be stuck on one little part. I get this one
> audit2allow rule that says allow emacs_t user_home_t:file { rename write
> create read open };
>
> Now my problem with that rule is that I don't want my application to
> write or create files with the user_home_t, so I decided to use an
> interface. The interfaces I used are these below:
>
> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d")
>
> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir
> lnk_file })
>
>
>
> But the problem is when I added these into my policy and when trying to
> to an audit2allow on the most recent time and date the denial was still
> there for some odd reason and I don't know what interface, macro, or
> whatever to use to get rid of the denial allow emacs_t user_home_t:file
> { rename write create read open }; Any help would be much appreciated.
If I understand this correctly, you are using audit2allow on the same 
AVC msg, that you used before adding interface? If yes, this is correct 
audit2allow behavior, because in AVC msg is target context user_home_t 
not emacs_home_t. So you need to re-create AVC msgs.

Regards,
Lukas Vrabec.
> Thanks.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.