Re: [gentoo-hardened] SELinux policy rules principles?

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux policy rules principles?
Date: Wed, 19 Jan 2011 21:25:00 +0100	[thread overview]
Message-ID: <20110119202459.GA8673@siphos.be> (raw)
In-Reply-To: <4D374413.7070400@giz-works.com>

On Wed, Jan 19, 2011 at 02:05:39PM -0600, Chris Richards wrote:
> As I mentioned previously, my concern with having harmless AVCs in the 
> log is that we create a situation where the System Admin gets so used to 
> seeing all of these AVCs that he gets in the habit of ignoring them.  
> Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing 
> because it increases the likelihood of ignoring something important.
> 
> That being said, troubleshooting a system where legitimate AVCs are 
> being dontaudited can be difficult, and determining if an AVC should be 
> dontaudited can involve digging through a LOT of code.  Perhaps we 
> should leave the AVCs we aren't certain of for a bit, with an eye to 
> either dontauditing or fixing them at a later date?

Hmm, perhaps with a tunable_policy called `gentoo_try_dontaudit' or
something similar. The boolean could provide additional benefit as it sais
to the end user "hey, if you enable this, you'll get less AVC denials but we
are not fully confident yet that they are true ignorable denials", unlike
the "semodule -D" approach which also disables all real ignorable dontaudit
denials. 

Wkr,
	Sven Vermeulen

next prev parent reply	other threads:[~2011-01-19 20:26 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-16 15:09 [gentoo-hardened] SELinux policy rules principles? Sven Vermeulen
2011-01-16 17:06 ` Chris Richards
2011-01-19 19:39   ` Sven Vermeulen
2011-01-19 20:05     ` Chris Richards
2011-01-19 20:25       ` Sven Vermeulen [this message]
2011-01-19 20:34         ` Chris Richards
2011-01-21 21:55   ` Sven Vermeulen
2011-01-21 22:12     ` klondike
2011-01-21 22:43     ` Chris Richards
     [not found] ` <4D33455B.8050708@users.sourceforge.net>
2011-01-19 19:54   ` Sven Vermeulen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110119202459.GA8673@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox