Experiences with selinux enabled targetted on Fedora Core 3
Russell Coker
russell at coker.com.au
Wed Apr 20 06:21:43 UTC 2005
On Tuesday 19 April 2005 23:07, "Christofer C. Bell"
<christofer.c.bell at gmail.com> wrote:
> On 4/18/05, Russell Coker <russell at coker.com.au> wrote:
> > On Tuesday 19 April 2005 12:25, Valdis.Kletnieks at vt.edu wrote:
> > > Personally, I'm not thrilled by the idea of sticking in dontaudit rules
> > > to quiet complaints at boot time that are caused by directories that
> > > are mislabelled.
> >
> > Why not?
>
> I can't speak for Valdis, but for me the word "kludge" comes to mind.
It's not a kludge. The purpose of dontaudit rules is to prevent auditing of
operations that are not permitted, not interesting, and expected to happen.
This is exactly the situation.
Using dontaudit rules for such things also gives correct behavior in
situations where relabelling will not. As an example there is the following
rule:
dontaudit lvm_t file_t:dir search;
Without this rule the lvm utilities when run before /var is mounted would
create the /var/lock directory on the mount-point. This is not desired
functionality, the machine is in single-user mode at the time (so the lack of
locking is not a problem) and creating directories that later get hidden by
mounting a file system is not desirable.
So far no-one has provided any reasons not to use dontaudit rules.
Accusations of kludging don't count as a reason.
I don't consider file_t labelling for a mount point as "mislabelling". The
mount point directory is expected to be hidden, so generally only mount needs
to access it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list