From: dtdevore64@yahoo.com (Dan) Date: Sun, 13 Dec 2015 17:13:44 -0500 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566D7265.6070100@redhat.com> References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com> Message-ID: <566DED98.4010907@yahoo.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, you are correct it is the same denial before I added the interfaces, so what do you mean re-create the AVC messages? On 12/13/2015 08:28 AM, Lukas Vrabec wrote: > HI, > > On 12/13/2015 06:38 AM, Dan wrote: >> Hello all, I am confining the application emacs using the selinux >> refpolicy and I seem to be stuck on one little part. I get this one >> audit2allow rule that says allow emacs_t user_home_t:file { rename write >> create read open }; >> >> Now my problem with that rule is that I don't want my application to >> write or create files with the user_home_t, so I decided to use an >> interface. The interfaces I used are these below: >> >> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") >> >> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir >> lnk_file }) >> >> >> >> But the problem is when I added these into my policy and when trying to >> to an audit2allow on the most recent time and date the denial was still >> there for some odd reason and I don't know what interface, macro, or >> whatever to use to get rid of the denial allow emacs_t user_home_t:file >> { rename write create read open }; Any help would be much appreciated. > If I understand this correctly, you are using audit2allow on the same > AVC msg, that you used before adding interface? If yes, this is correct > audit2allow behavior, because in AVC msg is target context user_home_t > not emacs_home_t. So you need to re-create AVC msgs. > > Regards, > Lukas Vrabec. >> Thanks. >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >