For a lot of stuff creating custom policy modules, however small, is necessary as part of normal implementation routines.
Doing this process on the CLI of a server is as cumbersome as it is annoying, due to a number of things which should be rather easily solvable
- Documentation; The Tresys Reference Policy API should have a patched equivalent in Red Hat docs
- Documentation: The available generic macros are horribly documented, which is unneccessary. They should be within aforementioned API documentation
- 'auto_require' or something similar: When creating a custom policy, you often have to fill the require block manually, which is a horribly annoying and seemingly unnecessary trial-and-error process. For example; if I use manage_dirs_pattern(), is it really that hard to detect it uses & needs class dir with everything but the kitchen sink in the require block? A lot of interfaces already use gen_require() to do this, but it really shouldn't be that hard to pick up completely automatically.
- Using kernel_dontaudit_list_all_proc() excludes everything of proc_type, which, as it turns out, isn't a whole lot. More of these attributes are needed on more locations.
- Compiler errors: Wrong lines are indicated, the errors are unhelpful and undescriptive
- vim/emacs highlighting is basic at best. It could be loads better and more useful.
Also, I think it's advisable to warn people more of using audit2allow. While a useful tool, it really shouldn't just be trusted.