Wiki - https://fedoraproject.org/wiki/Changes/SELinux_dontaudit_unlabeled_t Discussion thread - https://discussion.fedoraproject.org/t/f41-change-proposal-reduce-the-amount...
This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary == Reduce the amount of rules that prevent reporting of SELinux denials pertaining to unlabeled_t. This could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
== Owner == * Name: [[User:vmojzis| Vít Mojžíš]] * Email: vmojzis@redhat.com
* Name: [[User:mmalik| Miloš Malík]] * Email: mmalik@redhat.com
== Detailed Description == The SELinux security policy primarily comprises allow rules, which permit specific operations on a confined system. However, there are also SELinux rules featuring the "dontaudit" keyword. In general, these rules signify that the described operation is not allowed and will not be logged as a permission denial in audit logs. The primary purpose of these rules is to hide certain false positives or code defects, such as leaked descriptors. The drawback is that, in certain instances, these rules might obscure hints that could expedite debugging and issue resolution. It is possible to disable all dontaudit rules using "semodule -DB", but this usually leads to large amounts of benign denials being logged and hence is not practical for long term use.
The goal of this change is to significantly reduce the amount of dontaudit rules suppressing "unlabeled_t" denials, which are often caused by miss-labeled filesystems and can usually be easily fixed when noticed by the system administrator. The rules will not be completely removed from the policy, only disabled by default, so that the change can be reverted by the admin if needed (<code># setsebool -P dontaudit_unlabeled_files 1</code>). The change could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
== Feedback ==
== Benefit to Fedora == Access denials caused by labeling issues will more likely be reported by SELinux.
== Scope == * Proposal owners: Determine which dontaudit rules are safe to disable by default and wrap them in conditional statements in the policy sources -- changes will be limited to SElinux policy (and possibly setroubleshoot) packages
* Other developers: Report any unlabeled_t AVCs triggered by their software
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: The change aligns with the "accessibility" goal as it simplifies debugging of some labeling issues
== Upgrade/compatibility impact == No functionality impact, no configuration or data migration. The change could influence the amount of SELinux-related logs on some systems.
== Early Testing (Optional) == Do you require 'QA Blueprint' support? - No
== How To Test == Run your testsuite with SELinux enabled (Enforcing or Permissive mode) and record any AVCs containing unlabeld_t keyword.
<code># ausearch -m AVC,USER_AVC | grep unlabeled_t</code>
== User Experience == The change could increase the amount of SELinux-related logs on some systems.
== Dependencies == Changes will be limited to SElinux policy (and possibly setroubleshoot) packages.
== Contingency Plan ==
* Contingency mechanism: Do not ship the updated SELinux-policy package * Contingency deadline: N/A (not a System Wide Change) * Blocks release? No
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. -->
Dontaudit rules can be added selectively using audit2allow:
<code># ausearch -m AVC | grep unlabeled_t | audit2allow -D -M dontaudit_unlabeled </code>
<code># semodule -i dontaudit_unlabeled.pp </code>
All the disabled rules can be re-enabled by switching the "dontaudit_unlabeled_files" boolean (will be added as part of the change).
<code># setsebool -P dontaudit_unlabeled_files 1</code>
== Release Notes ==
devel-announce@lists.fedoraproject.org