Hi Stephen,
The rule is there for almost 9 years.
https://github.com/fedora-selinux/selinux-policy/commit/54f9ea9e7ccf243b0...
I have no problem to remove it.
Lukas.
On 3/20/19 4:10 PM, Stephen Smalley wrote:
On 3/20/19 10:56 AM, SZIGETVÁRI János wrote:
> Hi Stephen,
>
> I have to admit, I forgot to mention, that I was creating the policy
> on RHEL 7.5, not Fedora.
Nonetheless, the same appears to be true on Fedora. dontaudit rules for
all domains obviously make it harder to debug and develop policies for
new domains. They should be kept to a minimum.
I suspect these rules were to silence "noisy" denials when sockets are
created without SOCK_CLOEXEC and then the process execs into a different
domain. But a) in some of those cases, we probably do need/want to
allow inheritance, so we need to see those denials, and b) we shouldn't
silence the self case. Unfortunately we don't have a way to write rules
that exclude self currently.
>
> Sorry about that!
> János
>
> Stephen Smalley <sds(a)tycho.nsa.gov <mailto:sds@tycho.nsa.gov>> ezt
> írta (időpont: 2019. márc. 20., Sze, 15:45):
>
>
> Obvious question is why are these being dontaudit'd by Fedora policy.
>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.