• 1


i was wondering the other day why audit2allow creates allow rules that use execute_no_trans even while dealing with a file labeled *_exec_t.

Why is that, i think all the information required to write the transition is there right?

You can try audit2allow -R

Which attempts to find reference library functions that match the avc's. And it might find a transition interface. Audit2allow without any qualifier takes the straight AVC and just translates it directly to allow rules. The goal of sepolgen and audit2allow -R is to make better decisions.

Sometimes execing a app_exec_t without transition is a good idea. For example most confined domains, only transition when run from initrc_t, if run directly they stay in the current domain.

A good example of when you would want this is the cvs command. When you run it as a service you want it to be locked down and only able to r/w to cvs_data_t directrories, But when a user runs the same command, you want it to stay in the users domain, which allows it to r/w all directories the user can r/w.

  • 1

Log in