Hi!
I often find myself in a need for a tool that would scan a module's .te file and generate the missing requires.
It should determine all the missing requires, for which there are rules in that module, in one pass, and present either the missing requires only, or the full contents of the require {} section (in the second case, it could merge the missing class permissions with any existing permissions for given pre-existing classes).
I know that I can use audit2allow to generate the requires for me with -r switch, but it has 3 shortcomings:
1. It dumbly generates requires for all the classes/types/attributes it sees - and since it doesn't know anything about intended module where the rules will go to, it will probably generate requires for types/attributes that are defined in that module. Such require output, when blindly pasted into module's source, will generate duplicate definition errors. 2. It knows nothing about preexisting requires in the target module, so it will spit out all of them and one has to remove duplicates by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq") 3. It won't help me if I write some rules by hand, not based on AVC messages.
I think the problem is widespread enough that someone could have written a tool for that already - I'd like to know about that before I start writing one myself :)
Aleksander Adamowski wrote:
Hi!
I often find myself in a need for a tool that would scan a module's .te file and generate the missing requires.
It should determine all the missing requires, for which there are rules in that module, in one pass, and present either the missing requires only, or the full contents of the require {} section (in the second case, it could merge the missing class permissions with any existing permissions for given pre-existing classes).
I know that I can use audit2allow to generate the requires for me with -r switch, but it has 3 shortcomings:
- It dumbly generates requires for all the classes/types/attributes it sees - and since it doesn't know anything about intended module where the rules will go to, it will probably generate requires for types/attributes that are defined in that module. Such require output, when blindly pasted into module's source, will generate duplicate definition errors.
- It knows nothing about preexisting requires in the target module, so it will spit out all of them and one has to remove duplicates by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
- It won't help me if I write some rules by hand, not based on AVC messages.
I think the problem is widespread enough that someone could have written a tool for that already - I'd like to know about that before I start writing one myself :)
you can ask selinux@tycho.nsa.gov, i rememeber there are some works in upstream similar to your idea.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken YANG wrote:
Aleksander Adamowski wrote:
Hi!
I often find myself in a need for a tool that would scan a module's .te file and generate the missing requires.
It should determine all the missing requires, for which there are rules in that module, in one pass, and present either the missing requires only, or the full contents of the require {} section (in the second case, it could merge the missing class permissions with any existing permissions for given pre-existing classes).
I know that I can use audit2allow to generate the requires for me with -r switch, but it has 3 shortcomings:
- It dumbly generates requires for all the classes/types/attributes it sees - and since it doesn't know anything about intended module where the rules will go to, it will probably generate requires for types/attributes that are defined in that module. Such require output, when blindly pasted into module's source, will generate duplicate definition errors.
- It knows nothing about preexisting requires in the target module, so it will spit out all of them and one has to remove duplicates by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
- It won't help me if I write some rules by hand, not based on AVC messages.
I think the problem is widespread enough that someone could have written a tool for that already - I'd like to know about that before I start writing one myself :)
you can ask selinux@tycho.nsa.gov, i rememeber there are some works in upstream similar to your idea.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THe best idea is to get rid of gen_requires altogether, and have the linker/compiler figure it out. This is being worked on in the new polgen implementation.
selinux@lists.fedoraproject.org
-
Aleksander Adamowski -
Daniel J Walsh -
NZzi