Experiences with selinux enabled targetted on Fedora Core 3

Daniel J Walsh dwalsh at redhat.com
Wed Apr 20 19:59:31 UTC 2005


W. Michael Petullo wrote:

>>>>>>Personally, I'm not thrilled by the idea of sticking in dontaudit rules
>>>>>>to quiet complaints at boot time that are caused by directories that
>>>>>>are mislabelled.
>>>>>>            
>>>>>>
>
>  
>
>>>>>Why not?
>>>>>          
>>>>>
>
>  
>
>>>>I can't speak for Valdis, but for me the word "kludge" comes to mind.
>>>>        
>>>>
> 
>  
>
>>>It's not a kludge.  The purpose of dontaudit rules is to prevent auditing of
>>>operations that are not permitted, not interesting, and expected to happen.
>>>This is exactly the situation.
>>>      
>>>
> 
>  
>
>>You say that dontaudit rules are to cover the following circumstances:
>>
>>1. Not permitted.
>>2. Not interesting.
>>3. Expected to happen.
>>
>>That's not what's going on here and using dontaudit is a kludge.  The
>>OP is stating that *mount points*  for /usr, /usr/local, and
>>/usr/share are generating complaints because they're not properly
>>labled prior to being mounted.  These are the directories themselves
>>and not directories that are hidden by the mount.  This is
>>"interesting" and "not expected to happen," failing points 2 and 3.
>>
>>Regardless if the fix can be automated or not, telling the system to
>>"just ignore it" is inappropriate IMO.
>>    
>>
>
>One thing I have noticed is that dontaudit messages occasionally get in
>the way when trying to modify the policy.  When using the strict policy,
>I've had a few situations where something was denied by SELinux but
>not audited and I had trouble determining what rules where blocking
>the operation.
>
>  
>
You can turn off the dontaudit rules by executing in the policy src dir
make enableaudit
make load

-- 





More information about the fedora-selinux-list mailing list