Experiences with selinux enabled targetted on Fedora Core 3

W. Michael Petullo mike at flyn.org
Wed Apr 20 19:10:44 UTC 2005


>>>>> Personally, I'm not thrilled by the idea of sticking in dontaudit rules
>>>>> to quiet complaints at boot time that are caused by directories that
>>>>> are mislabelled.

>>>> Why not?

>>> I can't speak for Valdis, but for me the word "kludge" comes to mind.
 
>> It's not a kludge.  The purpose of dontaudit rules is to prevent auditing of
>> operations that are not permitted, not interesting, and expected to happen.
>> This is exactly the situation.
 
> You say that dontaudit rules are to cover the following circumstances:
> 
> 1. Not permitted.
> 2. Not interesting.
> 3. Expected to happen.
> 
> That's not what's going on here and using dontaudit is a kludge.  The
> OP is stating that *mount points*  for /usr, /usr/local, and
> /usr/share are generating complaints because they're not properly
> labled prior to being mounted.  These are the directories themselves
> and not directories that are hidden by the mount.  This is
> "interesting" and "not expected to happen," failing points 2 and 3.
> 
> Regardless if the fix can be automated or not, telling the system to
> "just ignore it" is inappropriate IMO.

One thing I have noticed is that dontaudit messages occasionally get in
the way when trying to modify the policy.  When using the strict policy,
I've had a few situations where something was denied by SELinux but
not audited and I had trouble determining what rules where blocking
the operation.

-- 
Mike

:wq




More information about the fedora-selinux-list mailing list