pebenito
commented
8 years ago What are the versions of policy and libsepol?
Closed vmojzis closed 8 years ago
pebenito
commented
8 years ago What are the versions of policy and libsepol?
vmojzis
commented
8 years ago In the meantime I upgraded to F24, but the results are the same. selinux-policy-3.13.1-191.13.fc24 selinux-policy-targeted-3.13.1-191.13.fc24 libsepol-2.5-8.fc24.x86_64
Setools3 behave the same way
DF allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] DF allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] ET allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] ET allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ]
pebenito
commented
8 years ago I've looked at the policies using dispol (sedispol on Fedora), which comes from the SELinux userspace, and it indicates that duplicate rules are in the policy, so SETools is providing an accurate result.
Is there a reason why sesearch shows duplicate results (provided that the rule is specified multiple times in policy)?
For example this rule was specified multiple times in both "True" and "False" part of conditional statement. (Fedora 23)
sesearch -A -s nsswitch_domain -t nscd_t -c unix_stream_socket -ds
allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:False allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:False allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:True