A tool to generate missing requires for a SELinux module?

Aleksander Adamowski aleksander.adamowski at altkom.pl
Thu Aug 23 10:01:39 UTC 2007


Hi!

I often find myself in a need for a tool that would scan a module's .te 
file and generate the missing requires.

It should determine all the missing requires, for which there are rules 
in that module, in one pass, and present either the missing requires 
only, or the full contents of the require {} section (in the second 
case, it could merge the missing class permissions with any existing 
permissions for given pre-existing classes).

I know that I can use audit2allow to generate the requires for me with 
-r switch, but it has 3 shortcomings:

   1. It dumbly generates requires for all the classes/types/attributes
      it sees - and since it doesn't know anything about intended module
      where the rules will go to, it will probably generate requires for
      types/attributes that are defined in that module. Such require
      output, when blindly pasted into module's source, will generate
      duplicate definition errors.
   2. It knows nothing about preexisting requires in the target module,
      so it will spit out all of them and one has to remove duplicates
      by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
   3. It won't help me if I write some rules by hand, not based on AVC
      messages.

I think the problem is widespread enough that someone could have written 
a tool for that already - I'd like to know about that before I start 
writing one myself :)

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

--
Aleksander Adamowski
    Administrator systemów korporacyjnych; Instruktor
    Altkom Akademia S.A. http://www.altkom.pl
    Warszawa, ul. Chłodna 51
    
    kom. 0-601-318-080

Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN.  Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message. 




More information about the fedora-selinux-list mailing list