--- On Sat, 9/12/09, Eric Paris <eparis(a)redhat.com> wrote:
From: Eric Paris <eparis(a)redhat.com>
Subject: Re: too many sealerts, most have been reported, and still see denials
To: "Antonio Olivares" <olivares14031(a)yahoo.com>
Cc: "Justin P. Mattock" <justinmattock(a)gmail.com>,
fedora-selinux-list(a)redhat.com
Date: Saturday, September 12, 2009, 4:07 PM
On Sat, 2009-09-12 at 13:55 -0700,
Antonio Olivares wrote:
> > Not exactly sure whats happening. keep in mind
> > if your using a development versions of fedora,
> > then you will run into issues.(if your on stable
then
> > you should be fine).
> >
> I knew that ahead of time, but it did not seem to be
this troublesome this time with Fedora 12. I have been
testing since Fedora 5 Test 2 release and have not
encountered as many denials as I have in this Fedora 12
testing phase. Guess many don't complain because they
run selinux disabled selinux=0, or enforcing=0 so they don't
care to report the issues?
No, the vast majority of the 'denials' aren't actually
denials. Dan
removed all unconfined domains and replaced them with
permissive
domains. An unconfined domain allows everything and
audits nothing. A
permissive domain allows everything but audits every time
there is no
allow rule for a given request.
This has helped to define the actual needs of many of the
unconfined
domains. And hopefully we can remove them entirely in
the future.
Please keep filing bugs.
Thanks for encouraging me to keep filing bugs. I will continue running it and
report errors whenever I can. I hope that the bug reporter works, because it breaks once
in a while :(
It's no surprise you are getting more messages, but it
shouldn't be
really different than in previous development for the
number of problems
it actually causes.
-Eric
Regards,
Antonio