Closed freedom1b2830 closed 1 year ago
the original refpolicy has a database of interfaces
its builder has a build-interface-db target it allows you to make flexible modules modules
build-interface-db
[root@archlinux policy]# readlog.sh |audit2allow -R|grep chromium_t
allow chromium_t bash_home_conf_t:file { getattr read }; allow chromium_t bash_home_history_t:file { getattr read }; allow chromium_t discord_opt_t:dir search; allow chromium_t freedom1b2830_which_t:file getattr; allow chromium_t gnome_xdg_config_t:dir { read search }; allow chromium_t groupslist_group_t:file read; allow chromium_t init_t:dbus send_msg; allow chromium_t pulseaudio_tmpfs_t:file map; allow chromium_t thunderbird_home_t:dir read; allow chromium_t user_home_dir_t:dir { create watch }; allow chromium_t user_home_dir_t:file create; dbus_read_lib_files(chromium_t) files_watch_root_dirs(chromium_t) files_watch_usr_dirs(chromium_t) mount_list_runtime(chromium_t) mozilla_read_user_home_files(chromium_t) seutil_libselinux_linked(chromium_t) systemd_manage_userdb_runtime_dirs(chromium_t) userdom_manage_user_home_content_dirs(chromium_t) xdg_manage_cache(chromium_t) xdg_manage_data(chromium_t) xdg_watch_data_dirs(chromium_t) allow discord_t chromium_t:dir getattr;
[root@archlinux policy]# readlog.sh |audit2allow -r|grep chromium_t
allow chromium_t bash_home_conf_t:file { getattr read }; allow chromium_t bash_home_history_t:file { getattr read }; allow chromium_t discord_opt_t:dir search; allow chromium_t freedom1b2830_which_t:file getattr; allow chromium_t gnome_xdg_config_t:dir { read search }; allow chromium_t groupslist_group_t:file read; allow chromium_t init_t:dbus send_msg; allow chromium_t mount_runtime_t:dir search; allow chromium_t mozilla_home_t:dir read; allow chromium_t pulseaudio_tmpfs_t:file map; allow chromium_t root_t:dir watch; allow chromium_t selinux_config_t:lnk_file read; allow chromium_t system_dbusd_var_lib_t:lnk_file read; allow chromium_t systemd_userdbd_runtime_t:dir read; allow chromium_t thunderbird_home_t:dir read; allow chromium_t user_home_dir_t:dir { create watch }; allow chromium_t user_home_dir_t:file create; allow chromium_t user_home_t:dir write; allow chromium_t usr_t:dir watch; allow chromium_t xdg_cache_t:file create; allow chromium_t xdg_data_t:dir { add_name remove_name write }; allow chromium_t xdg_data_t:dir watch; allow chromium_t xdg_data_t:file { create unlink write }; allow discord_t chromium_t:dir getattr; allow pulseaudio_t chromium_t:fd use;
the original refpolicy has a database of interfaces
its builder has a
build-interface-dbtarget it allows you to make flexible modules modules[root@archlinux policy]# readlog.sh |audit2allow -R|grep chromium_t
[root@archlinux policy]# readlog.sh |audit2allow -r|grep chromium_t