From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 14 Dec 2015 09:57:29 -0500 Subject: [refpolicy] refpolicy interface help In-Reply-To: <566D0441.8060600@yahoo.com> References: <566D0441.8060600@yahoo.com> Message-ID: <566ED8D9.1060803@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/2015 12:38 AM, Dan wrote: > Hello all, I am confining the application emacs using the selinux > refpolicy and I seem to be stuck on one little part. I get this one > audit2allow rule that says allow emacs_t user_home_t:file { rename write > create read open }; > > Now my problem with that rule is that I don't want my application to > write or create files with the user_home_t, so I decided to use an > interface. The interfaces I used are these below: > > userdom_user_home_dir_filetrans(emacs_t, emacs_home_t, dir, ".emacs.d") > > userdom_user_home_content_filetrans(emacs_t, emacs_home_t, { file dir > lnk_file }) > > > > But the problem is when I added these into my policy and when trying to > to an audit2allow on the most recent time and date the denial was still > there for some odd reason and I don't know what interface, macro, or > whatever to use to get rid of the denial allow emacs_t user_home_t:file > { rename write create read open }; Any help would be much appreciated. Did you relabel the existing files and directories? Adding a filetrans will only affect the label of new files/dirs being created. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com