Experiences with selinux enabled targetted on Fedora Core 3
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 20 19:59:31 UTC 2005
W. Michael Petullo wrote:
>>>>>>Personally, I'm not thrilled by the idea of sticking in dontaudit rules
>>>>>>to quiet complaints at boot time that are caused by directories that
>>>>>>are mislabelled.
>>>>>>
>>>>>>
>
>
>
>>>>>Why not?
>>>>>
>>>>>
>
>
>
>>>>I can't speak for Valdis, but for me the word "kludge" comes to mind.
>>>>
>>>>
>
>
>
>>>It's not a kludge. The purpose of dontaudit rules is to prevent auditing of
>>>operations that are not permitted, not interesting, and expected to happen.
>>>This is exactly the situation.
>>>
>>>
>
>
>
>>You say that dontaudit rules are to cover the following circumstances:
>>
>>1. Not permitted.
>>2. Not interesting.
>>3. Expected to happen.
>>
>>That's not what's going on here and using dontaudit is a kludge. The
>>OP is stating that *mount points* for /usr, /usr/local, and
>>/usr/share are generating complaints because they're not properly
>>labled prior to being mounted. These are the directories themselves
>>and not directories that are hidden by the mount. This is
>>"interesting" and "not expected to happen," failing points 2 and 3.
>>
>>Regardless if the fix can be automated or not, telling the system to
>>"just ignore it" is inappropriate IMO.
>>
>>
>
>One thing I have noticed is that dontaudit messages occasionally get in
>the way when trying to modify the policy. When using the strict policy,
>I've had a few situations where something was denied by SELinux but
>not audited and I had trouble determining what rules where blocking
>the operation.
>
>
>
You can turn off the dontaudit rules by executing in the policy src dir
make enableaudit
make load
--
More information about the fedora-selinux-list
mailing list