On Tue, 2012-10-02 at 18:10 -0700, William Roberts wrote: > On Tue, Oct 2, 2012 at 4:28 PM, Joshua Brindle <[email protected]> wrote: > > William Roberts wrote: > >> > >> On Tue, Oct 2, 2012 at 4:18 PM, William Roberts > >> <[email protected]> wrote: > >>> > >>> This is something I whipped together real quick for use with > >>> audit2allow. It just finds the correct macro to use for the > >>> permissions granted by audit2allow. > >>> > >>> Just like audit2allow, this just blindly "allows" permissions. Care > >>> should be taken when using this tool to make sure such permissions > >>> should be granted. > >>> > >>> I released this tool under public domain so if enough requests come in > >>> to clean it up and make it viable, we have the option to add it in the > >>> future without changing the license. > >>> > >>> This is prototype code and is not very good, but I figured I would > >>> throw it up online in the event that others find it useful too. > > > > > > This is one of the reasons I wanted the Android policy converted to a > > reference policy style structure, so that things like audit2allow -i would > > work, which is tried and true. > > It would be nice, and another benefit would be so the books follow > this policy too. It's hard teaching this to others as they look at the > books and docs (which are all refpolicy based) and can't match it up. > > But alas, it is what it is.
I don't think it is justified (or desirable) to bring in all of the refpolicy infrastructure. I also don't think audit2allow -i does what Joshua thinks it does. Maybe you mean audit2allow -R, but even that only did matching on refpolicy interfaces, not simple permission or class macros, and it was just a heuristic that only worked sometimes. If you think you have a change that would in fact be helpful, feel free to propose a patch. But don't make changes just to be more like refpolicy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
