Bug 490442

Summary:	<sys-apps/policycoreutils-2.2.5-r1 audit2allow does not create refpolicy style module
Product:	Gentoo Linux	Reporter:	Sven Vermeulen (RETIRED) <swift>
Component:	SELinux	Assignee:	SE Linux Bugs <selinux>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	selinux-utils
Package list:		Runtime testing required:	---

Description Sven Vermeulen (RETIRED) gentoo-dev

2013-11-04 21:54:03 UTC

When trying to build a SELinux module using "audit2allow -m test -R" (-R to use refpolicy style interfaces) the module does not use the interface, instead relying back on the 'regular' allow statement.

The /var/lib/sepolgen/interface_info is up2date (sepolgen-ifgen was ran and the information for the call I need (kernel_rw_kernel_sysctl) seems to be provided in it. Also, strace'ing the audit2allow process does show that it is reading this file.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2013-12-29 15:07:20 UTC

Seems to be working for more recent policycoreutils (testing with 2.2.5 here):

# cat /tmp/test.txt | audit2allow -m test -R; cat /tmp/test.txt 

policy_module(test, 1.0)

require {
        type gpg_pinentry_t;
}

#============= gpg_pinentry_t ==============
fs_getattr_xattr_fs(gpg_pinentry_t)

type=AVC msg=audit(1388327755.063:952): avc:  denied  { getattr } for  pid=989 comm="pinentry" name="/" dev="dm-3" ino=2 scontext=staff_u:staff_r:gpg_pinentry_t tcontext=system_u:object_r:fs_t tclass=filesystem

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2014-01-20 20:17:36 UTC

Stable in tree