I'm a selinux newbie using RHEL7.9 and I'm in the process of creating a "private/application" selinux policy for a large legacy application.
For some AVCs/denials I've been using the audit2allow to generate some of the rules/interfaces to resolve the AVCs/denials.
Questions about using the "-R" option to generate the policy rules:
1. What are the risks of using the "-R" option? Do people use the "interfaces" which the "-R" generates in the policies deployed in production environments? When "-R" is used, how does the tool itself determine which "interface" to use? Is it Linux distribution and release specific so if we upgrade will it be a problem?
The redhat documentation and man page (and other vendor's documentation) specify it is a risk to use this tool (see [1][2]).
2. When the "-R" option is not used, separate rules are generated that do not include "interface" rules. Is it safe to use the rules audit2allow generates (without "-R") or are those a risk as well?
3. Any other suggestions for resolving AVCs/denials ?
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[2] audit2allow man page man audit2allow ... -R | --reference Generate reference policy using installed macros. This attempts to match denials against interfaces and may be inaccurate.
Thanks
"Large legacy application."
I'm running for the nearest exit and getting off the property already.
On July 23, 2021 8:49:25 AM AKDT, Todd Sandor toddlersandor@gmail.com wrote:
I'm a selinux newbie using RHEL7.9 and I'm in the process of creating a "private/application" selinux policy for a large legacy application.
For some AVCs/denials I've been using the audit2allow to generate some of the rules/interfaces to resolve the AVCs/denials.
Questions about using the "-R" option to generate the policy rules:
- What are the risks of using the "-R" option?
Do people use the "interfaces" which the "-R" generates in the policies deployed in production environments? When "-R" is used, how does the tool itself determine which "interface" to use? Is it Linux distribution and release specific so if we upgrade will it be a problem?
The redhat documentation and man page (and other vendor's documentation) specify it is a risk to use this tool (see [1][2]).
- When the "-R" option is not used, separate rules are generated that
do not include "interface" rules. Is it safe to use the rules audit2allow generates (without "-R") or are those a risk as well?
- Any other suggestions for resolving AVCs/denials ?
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[2] audit2allow man page man audit2allow ... -R | --reference Generate reference policy using installed macros. This attempts to match denials against interfaces and may be inaccurate.
Thanks
selinux@lists.fedoraproject.org