W. Michael Petullo wrote:
>>>>>Personally, I'm not thrilled by the idea of
sticking in dontaudit rules
>>>>>to quiet complaints at boot time that are caused by directories that
>>>>>are mislabelled.
>>>>>
>>>>>
>>>>Why not?
>>>>
>>>>
>>>I can't speak for Valdis, but for me the word "kludge" comes to
mind.
>>>
>>>
>>It's not a kludge. The purpose of dontaudit rules is to prevent auditing of
>>operations that are not permitted, not interesting, and expected to happen.
>>This is exactly the situation.
>>
>>
>You say that dontaudit rules are to cover the following circumstances:
>
>1. Not permitted.
>2. Not interesting.
>3. Expected to happen.
>
>That's not what's going on here and using dontaudit is a kludge. The
>OP is stating that *mount points* for /usr, /usr/local, and
>/usr/share are generating complaints because they're not properly
>labled prior to being mounted. These are the directories themselves
>and not directories that are hidden by the mount. This is
>"interesting" and "not expected to happen," failing points 2 and
3.
>
>Regardless if the fix can be automated or not, telling the system to
>"just ignore it" is inappropriate IMO.
>
>
One thing I have noticed is that dontaudit messages occasionally get in
the way when trying to modify the policy. When using the strict policy,
I've had a few situations where something was denied by SELinux but
not audited and I had trouble determining what rules where blocking
the operation.
You can turn off the dontaudit rules by executing in the policy src dir
make enableaudit
make load
--