-
Notifications
You must be signed in to change notification settings - Fork 360
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New flag -C for audit2allow sets output format to CIL instead of Policy Language. Example: ;============= mozilla_t ============== ;!!!! This avc is allowed in the current policy (allow mozilla_t user_sudo_t (fd (use))) ;============= user_t ============== ;!!!! This avc can be allowed using the boolean 'allow_execmem' (allow user_t self (process (execmem))) (allow user_t chromium_t (process (noatsecure rlimitinh siginh))) ;!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. ;Constraint rule: ; constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u1 == unconfined_u -Fail-) or (u1 == sysadm_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED ; Possible cause is the source user (user_u) and target user (sysadm_u) are different. (allow user_t user_home_dir_t (dir (getattr relabelto))) Signed-off-by: Topi Miettinen <[email protected]> --- v4: several fixes to issues found by James Carter v3: fixed extended permissions syntax v2: fix uninitialized variable detected by CI
- Loading branch information
1 parent
82195e7
commit 52b3577
Showing
5 changed files
with
298 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.