2018-06-12 11:06 GMT+02:00 Jan Zarsky <[email protected]>: > Add support for extended permissions to audit2allow. Extend AuditParser > to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to > generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow > to turn on generating of extended permission AV rules. > > AVCMessage parses the ioctlcmd field in AVC messages. AuditParser > converts the ioctlcmd values into generic representation of extended > permissions that is stored in access vectors. > > Extended permissions are represented by operations (currently only > 'ioctl') and values associated to the operations. Values (for example > '~{ 0x42 1234 23-34 }') are stored in the XpermSet class. > > PolicyGenerator contains new method to turn on generating of xperms. > When turned on, for each access vector, standard AV rule and possibly > several xperm AV rules are generated. Xperm AV rules are represented by > the AVExtRule class. > > With xperm generating turned off, PolicyGenerator provides comments > about extended permissions in certain situations. When the AVC message > contains the ioctlcmd field and the access would be allowed according to > the policy, PolicyGenerator warns about xperm rules being the possible > cause of the denial. > > Signed-off-by: Jan Zarsky <[email protected]> > --- > > V2 fixes two whitespace issues, in audit.py uses 'except ValueError' > instead of bare except, and fixes typo in error message in policygen.py
Thanks. I have applied your three patches. Nicolas _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
