From: dtdevore64@yahoo.com (Dan)
Date: Mon, 14 Dec 2015 09:29:20 -0500
Subject: [refpolicy] refpolicy interface help
In-Reply-To: <566EAE27.6070009@redhat.com>
References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com>
	<566DED98.4010907@yahoo.com> <566EAE27.6070009@redhat.com>
Message-ID: <566ED240.8050009@yahoo.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Yes I am basically using audit2allow like this:

sudo ausearch -m avc -ts 20:18 | audit2allow -r

As for the AVCs, here they are:

allow emacs_t user_home_t:file { read write create unlink open lock };
allow emacs_t config_home_t:file { read write getattr open };
allow emacs_t ssh_exec_t:file execute
allow emacs_t gpg_exec_t:file { execute getattr };

I mean am I wrong to think that allowing emacs to write to any type that
is labeled user_home_t, or should I just allow because it seems my
interfaces aren't working with the transition. Basically what it comes
down to is if I confine any application with selinux what rule,
interface,macro do I need to use so I won't get any AVCs about that
application writing to my user_home_t type. That is pretty much what I
want to know. Thanks for helping me out.

On 12/14/2015 06:55 AM, Lukas Vrabec wrote:
> 
> 
> On 12/13/2015 11:13 PM, Dan wrote:
>> Yes, you are correct it is the same denial before I added the
>> interfaces, so what do you mean re-create the AVC messages?
> Could you attach how you exactly using "audit2allow" command and also
> AVC messages?
>> On 12/13/2015 08:28 AM, Lukas Vrabec wrote:
>>> HI,
>>>
>>> On 12/13/2015 06:38 AM, Dan wrote:
>>>> Hello all, I am confining the application emacs using the selinux
>>>> refpolicy and I seem to be stuck on one little part. I get this one
>>>> audit2allow rule that says allow emacs_t user_home_t:file { rename
>>>> write
>>>> create read open };
>>>>
>>>> Now my problem with that rule is that I don't want my application to
>>>> write or create files with the user_home_t, so I decided to use an
>>>> interface. The interfaces I used are these below:
>>>>
>>>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d")
>>>>
>>>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir
>>>> lnk_file })
>>>>
>>>>
>>>>
>>>> But the problem is when I added these into my policy and when trying to
>>>> to an audit2allow on the most recent time and date the denial was still
>>>> there for some odd reason and I don't know what interface, macro, or
>>>> whatever to use to get rid of the denial allow emacs_t user_home_t:file
>>>> { rename write create read open }; Any help would be much appreciated.
>>> If I understand this correctly, you are using audit2allow on the same
>>> AVC msg, that you used before adding interface? If yes, this is correct
>>> audit2allow behavior, because in AVC msg is target context user_home_t
>>> not emacs_home_t. So you need to re-create AVC msgs.
>>>
>>> Regards,
>>> Lukas Vrabec.
>>>> Thanks.
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>