From: lvrabec@redhat.com (Lukas Vrabec) Date: Mon, 14 Dec 2015 12:55:19 +0100 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566DED98.4010907@yahoo.com> References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com> <566DED98.4010907@yahoo.com> Message-ID: <566EAE27.6070009@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/2015 11:13 PM, Dan wrote: > Yes, you are correct it is the same denial before I added the > interfaces, so what do you mean re-create the AVC messages? Could you attach how you exactly using "audit2allow" command and also AVC messages? > On 12/13/2015 08:28 AM, Lukas Vrabec wrote: >> HI, >> >> On 12/13/2015 06:38 AM, Dan wrote: >>> Hello all, I am confining the application emacs using the selinux >>> refpolicy and I seem to be stuck on one little part. I get this one >>> audit2allow rule that says allow emacs_t user_home_t:file { rename write >>> create read open }; >>> >>> Now my problem with that rule is that I don't want my application to >>> write or create files with the user_home_t, so I decided to use an >>> interface. The interfaces I used are these below: >>> >>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") >>> >>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir >>> lnk_file }) >>> >>> >>> >>> But the problem is when I added these into my policy and when trying to >>> to an audit2allow on the most recent time and date the denial was still >>> there for some odd reason and I don't know what interface, macro, or >>> whatever to use to get rid of the denial allow emacs_t user_home_t:file >>> { rename write create read open }; Any help would be much appreciated. >> If I understand this correctly, you are using audit2allow on the same >> AVC msg, that you used before adding interface? If yes, this is correct >> audit2allow behavior, because in AVC msg is target context user_home_t >> not emacs_home_t. So you need to re-create AVC msgs. >> >> Regards, >> Lukas Vrabec. >>> Thanks. >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy -- Lukas Vrabec SELinux Solutions Red Hat, Inc.