On Thu, 2006-10-05 at 12:32 -0400, Suchoski, Andrew wrote:
Found my problem. I was concentrating on the domain - type access
controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
audit2allow doesn't help very much with that.
True. audit2why can at least diagnose whether it is constraint-related
or TE-related.
--
Stephen Smalley
National Security Agency