From: dtdevore64@yahoo.com (Dan) Date: Mon, 14 Dec 2015 09:29:20 -0500 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566EAE27.6070009@redhat.com> References: <566D0441.8060600@yahoo.com> <566D7265.6070100@redhat.com> <566DED98.4010907@yahoo.com> <566EAE27.6070009@redhat.com> Message-ID: <566ED240.8050009@yahoo.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes I am basically using audit2allow like this: sudo ausearch -m avc -ts 20:18 | audit2allow -r As for the AVCs, here they are: allow emacs_t user_home_t:file { read write create unlink open lock }; allow emacs_t config_home_t:file { read write getattr open }; allow emacs_t ssh_exec_t:file execute allow emacs_t gpg_exec_t:file { execute getattr }; I mean am I wrong to think that allowing emacs to write to any type that is labeled user_home_t, or should I just allow because it seems my interfaces aren't working with the transition. Basically what it comes down to is if I confine any application with selinux what rule, interface,macro do I need to use so I won't get any AVCs about that application writing to my user_home_t type. That is pretty much what I want to know. Thanks for helping me out. On 12/14/2015 06:55 AM, Lukas Vrabec wrote: > > > On 12/13/2015 11:13 PM, Dan wrote: >> Yes, you are correct it is the same denial before I added the >> interfaces, so what do you mean re-create the AVC messages? > Could you attach how you exactly using "audit2allow" command and also > AVC messages? >> On 12/13/2015 08:28 AM, Lukas Vrabec wrote: >>> HI, >>> >>> On 12/13/2015 06:38 AM, Dan wrote: >>>> Hello all, I am confining the application emacs using the selinux >>>> refpolicy and I seem to be stuck on one little part. I get this one >>>> audit2allow rule that says allow emacs_t user_home_t:file { rename >>>> write >>>> create read open }; >>>> >>>> Now my problem with that rule is that I don't want my application to >>>> write or create files with the user_home_t, so I decided to use an >>>> interface. The interfaces I used are these below: >>>> >>>> userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") >>>> >>>> userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir >>>> lnk_file }) >>>> >>>> >>>> >>>> But the problem is when I added these into my policy and when trying to >>>> to an audit2allow on the most recent time and date the denial was still >>>> there for some odd reason and I don't know what interface, macro, or >>>> whatever to use to get rid of the denial allow emacs_t user_home_t:file >>>> { rename write create read open }; Any help would be much appreciated. >>> If I understand this correctly, you are using audit2allow on the same >>> AVC msg, that you used before adding interface? If yes, this is correct >>> audit2allow behavior, because in AVC msg is target context user_home_t >>> not emacs_home_t. So you need to re-create AVC msgs. >>> >>> Regards, >>> Lukas Vrabec. >>>> Thanks. >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >