lack of AVC denied messages

[Russell Coker]

On Fri, 25 Jun 2004 13:52, Richard Hally <rhally at mindspring.com> wrote:
> Sorry for the reply to my own message.
> After remembering (and using) the 'enableaudit' option for making
> policy, the needed avc denied messages to generate the allow rules were
> produced.
> But this raises the larger question of how are we going to handle the
> dontaudit rules in the future? And how do we distinguish between those
> that are for "harmless" denials and those that are not?

Mozilla is a difficult program in this regard.  In normal operation it will 
try to stat() many files and read many directories that you don't want it to 
so dontaudit rules are needed.  Then when you get mis-labelled files and 
directories you don't see any AVC messages because of the dontaudit rules.

It's especially difficult because it's a program that users run.  If the same 
problem occurs with a daemon then the person who runs it can just load a new 
policy to investigate it.  The person who has a Mozilla program often does 
not have this option.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page