too many sealerts, most have been reported, and still see denials

[Antonio Olivares]

--- On Sat, 9/12/09, Eric Paris <eparis at redhat.com> wrote:

> From: Eric Paris <eparis at redhat.com>
> Subject: Re: too many sealerts, most have been reported, and still see denials
> To: "Antonio Olivares" <olivares14031 at yahoo.com>
> Cc: "Justin P. Mattock" <justinmattock at gmail.com>, fedora-selinux-list at redhat.com
> Date: Saturday, September 12, 2009, 4:07 PM
> On Sat, 2009-09-12 at 13:55 -0700,
> Antonio Olivares wrote:
> > > Not exactly sure whats happening. keep in mind
> > > if your using a development versions of fedora,
> > > then you will run into issues.(if your on stable
> then
> > > you should be fine).
> > >
> > I knew that ahead of time, but it did not seem to be
> this troublesome this time with Fedora 12.  I have been
> testing since Fedora 5 Test 2 release and have not
> encountered as many denials as I have in this Fedora 12
> testing phase.  Guess many don't complain because they
> run selinux disabled selinux=0, or enforcing=0 so they don't
> care to report the issues?  
> 
> No, the vast majority of the 'denials' aren't actually
> denials.  Dan
> removed all unconfined domains and replaced them with
> permissive
> domains.  An unconfined domain allows everything and
> audits nothing.  A
> permissive domain allows everything but audits every time
> there is no
> allow rule for a given request.
> 
> This has helped to define the actual needs of many of the
> unconfined
> domains.  And hopefully we can remove them entirely in
> the future.
> Please keep filing bugs.
>
Thanks for encouraging me to keep filing bugs.  I will continue running it and report errors whenever I can.  I hope that the bug reporter works, because it breaks once in a while :(  
> 
> It's no surprise you are getting more messages, but it
> shouldn't be
> really different than in previous development for the
> number of problems
> it actually causes.
> 
> -Eric
> 
> 
Regards,

Antonio