Closed vmojzis closed 8 years ago
What are the versions of policy and libsepol?
In the meantime I upgraded to F24, but the results are the same. selinux-policy-3.13.1-191.13.fc24 selinux-policy-targeted-3.13.1-191.13.fc24 libsepol-2.5-8.fc24.x86_64
Setools3 behave the same way
DF allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] DF allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] ET allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ] ET allow nsswitch_domain nscd_t : unix_stream_socket connectto ; [ nscd_use_shm ]
I've looked at the policies using dispol
(sedispol
on Fedora), which comes from the SELinux userspace, and it indicates that duplicate rules are in the policy, so SETools is providing an accurate result.
Is there a reason why sesearch shows duplicate results (provided that the rule is specified multiple times in policy)?
For example this rule was specified multiple times in both "True" and "False" part of conditional statement. (Fedora 23)
sesearch -A -s nsswitch_domain -t nscd_t -c unix_stream_socket -ds
allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:False allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:False allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:True allow nsswitch_domain nscd_t:unix_stream_socket connectto; [ nscd_use_shm ]:True