[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Debian testing +selinux
- From: Stephen Smalley <sds tycho nsa gov>
- To: Ken YANG <spng yang gmail com>
- Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
- Subject: Re: Debian testing +selinux
- Date: Tue, 24 Jul 2007 08:11:30 -0400
On Tue, 2007-07-24 at 10:17 +0800, Ken YANG wrote:
> Stephen Smalley wrote:
> > On Mon, 2007-07-23 at 09:41 -0500, Justin Conover wrote:
> >> Another question, does doing this audit2allow method sort of mean "I
> >> have no idea what I'm doing, so allow it all", or is that why it
> >> caught the hald_t memory portion and said NO, don't do this!
> >
> > As per the audit2allow man page, you should think through the rules
> > generated by audit2allow, not just blindly take them.
> >
> > The neverallow statements aka assertions in the base policy will catch
> > certain kinds of dangerous access or malformed rules, but are certainly
> > not exhaustive.
>
> with your words, can i think the violated assertion, such as:
>
> assertion on line 0 violated by allow ......
>
> only be introduced by "neverallow" rules? Are there any other rules
> will cause this kind of errors?
Only neverallow rules cause those messages to occur. The "assertion on
line 0" part is a holdover of when this was all done when policy was
compiled from source (versus precompiled loadable modules).
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]