setroubleshoot-plugins/0002-catchall-Discourage-creating-custom-policy-modules.patch
Vit Mojzis b2821260d0 setroubleshoot-plugins-3.3.15-3
- catchall: Discourage creating custom policy modules

Resolves: RHEL-80549
2026-06-18 17:15:12 +02:00

37 lines
1.6 KiB
Diff

From 8ad7f4c5528fbbc52a3d391c702102c6fe262d83 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 9 Jun 2026 17:27:36 +0200
Subject: [PATCH] catchall: Discourage creating custom policy modules
Update the plugin text to discourage creating custom policy modules by
explaining the lack of support and potential security implications.
---
src/catchall.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/catchall.py b/src/catchall.py
index 052d6d8..7e4a8fa 100644
--- a/src/catchall.py
+++ b/src/catchall.py
@@ -54,9 +54,14 @@ class plugin(Plugin):
return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.')
return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.')
- then_text = _('You should report this as a bug.\nYou can generate a local policy module to allow this access.')
- do_text = _("""Allow this access for now by executing:
-# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
+ then_text = _('''
+ You should report this as a bug.\n
+ If you are certain this access is legitimate and not an intrusion attempt, you
+ can generate a local policy module to allow it.
+ Custom policy modules are not supported as they may weaken the system policy and expose the system to security vulnerabilities.
+ ''')
+
+ do_text = _("""# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp""")
def __init__(self):
--
2.53.0