From: dtdevore64@yahoo.com (Dan)
Date: Sun, 13 Dec 2015 17:13:44 -0500
Subject: [refpolicy] refpolicy interface help
In-Reply-To: <566D7265.6070100@redhat.com>
References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com>
Message-ID: <566DED98.4010907@yahoo.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Yes, you are correct it is the same denial before I added the
interfaces, so what do you mean re-create the AVC messages?
On 12/13/2015 08:28 AM, Lukas Vrabec wrote:
> HI,
> 
> On 12/13/2015 06:38 AM, Dan wrote:
>> Hello all, I am confining the application emacs using the selinux
>> refpolicy and I seem to be stuck on one little part. I get this one
>> audit2allow rule that says allow emacs_t user_home_t:file { rename write
>> create read open };
>>
>> Now my problem with that rule is that I don't want my application to
>> write or create files with the user_home_t, so I decided to use an
>> interface. The interfaces I used are these below:
>>
>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d")
>>
>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir
>> lnk_file })
>>
>>
>>
>> But the problem is when I added these into my policy and when trying to
>> to an audit2allow on the most recent time and date the denial was still
>> there for some odd reason and I don't know what interface, macro, or
>> whatever to use to get rid of the denial allow emacs_t user_home_t:file
>> { rename write create read open }; Any help would be much appreciated.
> If I understand this correctly, you are using audit2allow on the same 
> AVC msg, that you used before adding interface? If yes, this is correct 
> audit2allow behavior, because in AVC msg is target context user_home_t 
> not emacs_home_t. So you need to re-create AVC msgs.
> 
> Regards,
> Lukas Vrabec.
>> Thanks.
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>