No more selinux-policy-*-sources
Ivan Gyurdiev
ivg2 at cornell.edu
Tue Mar 14 19:14:23 UTC 2006
> http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-6dcc9a7f5f2d7e7ee033e777caacebb434713dd7
>
> "The most common reason for a silent denial is when the policy
> contains an explicit dontaudit rule to suppress audit messages. The
> dontaudit rule is often used this way when a benign denial is filling
> the audit logs."
..which imho should be considered a bug in 90% of the cases where it's
used - either a bug in policy, or a bug in the app.
I've seen dontaudits where the app "seems" to work (non-fatal error),
but a denial is generated, so the dontaudit was added to make it go
away. This seems completely wrong to me - I disagree with the "benign"
denial, that's just covering up functionality that doesn't work. There
should be a comment above every dontaudit that explains why it's needed,
and why this problem can't be solved otherwise. In fact... it would be
nice if every sblock of rules had a comment in front of it explaining
why it's needed in terms of application functionality.
Just my 2c.
More information about the devel
mailing list