[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Experiences with selinux enabled targetted on Fedora Core 3



W. Michael Petullo wrote:

Personally, I'm not thrilled by the idea of sticking in dontaudit rules
to quiet complaints at boot time that are caused by directories that
are mislabelled.





Why not?





I can't speak for Valdis, but for me the word "kludge" comes to mind.





It's not a kludge. The purpose of dontaudit rules is to prevent auditing of
operations that are not permitted, not interesting, and expected to happen.
This is exactly the situation.





You say that dontaudit rules are to cover the following circumstances:

1. Not permitted.
2. Not interesting.
3. Expected to happen.

That's not what's going on here and using dontaudit is a kludge.  The
OP is stating that *mount points*  for /usr, /usr/local, and
/usr/share are generating complaints because they're not properly
labled prior to being mounted.  These are the directories themselves
and not directories that are hidden by the mount.  This is
"interesting" and "not expected to happen," failing points 2 and 3.

Regardless if the fix can be automated or not, telling the system to
"just ignore it" is inappropriate IMO.



One thing I have noticed is that dontaudit messages occasionally get in the way when trying to modify the policy. When using the strict policy, I've had a few situations where something was denied by SELinux but not audited and I had trouble determining what rules where blocking the operation.



You can turn off the dontaudit rules by executing in the policy src dir
make enableaudit
make load

--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]