Experiences with selinux enabled targetted on Fedora Core 3

Russell Coker russell at coker.com.au
Wed Apr 20 06:21:43 UTC 2005


On Tuesday 19 April 2005 23:07, "Christofer C. Bell" 
<christofer.c.bell at gmail.com> wrote:
> On 4/18/05, Russell Coker <russell at coker.com.au> wrote:
> > On Tuesday 19 April 2005 12:25, Valdis.Kletnieks at vt.edu wrote:
> > > Personally, I'm not thrilled by the idea of sticking in dontaudit rules
> > > to quiet complaints at boot time that are caused by directories that
> > > are mislabelled.
> >
> > Why not?
>
> I can't speak for Valdis, but for me the word "kludge" comes to mind.

It's not a kludge.  The purpose of dontaudit rules is to prevent auditing of 
operations that are not permitted, not interesting, and expected to happen.  
This is exactly the situation.

Using dontaudit rules for such things also gives correct behavior in 
situations where relabelling will not.  As an example there is the following 
rule:
dontaudit lvm_t file_t:dir search;

Without this rule the lvm utilities when run before /var is mounted would 
create the /var/lock directory on the mount-point.  This is not desired 
functionality, the machine is in single-user mode at the time (so the lack of 
locking is not a problem) and creating directories that later get hidden by 
mounting a file system is not desirable.

So far no-one has provided any reasons not to use dontaudit rules.  
Accusations of kludging don't count as a reason.

I don't consider file_t labelling for a mount point as "mislabelling".  The 
mount point directory is expected to be hidden, so generally only mount needs 
to access it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




More information about the fedora-selinux-list mailing list