From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PfecC-0005mC-5b for garchives@archives.gentoo.org; Wed, 19 Jan 2011 20:26:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72525E089E; Wed, 19 Jan 2011 20:25:11 +0000 (UTC) Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.213.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 3A859E089E for ; Wed, 19 Jan 2011 20:25:10 +0000 (UTC) Received: by yxd39 with SMTP id 39so808570yxd.40 for ; Wed, 19 Jan 2011 12:25:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=A1UQ5lqaaCASwMBzcLh+SXGiDZ2dMxl36zG3E9aHnWs=; b=ewJnOD+1CsR8DOApXNZjPdgMW9/rnFfgalB95JJZJ7i6L/p7nyHjZwBQpOl+aitf0f CvqGZFwtdVJ8ewl00OpYn2+x+QfG3aHaRdt1xyBmPt9YO1kCA/yUebIgCplOiK9FGHWy JRMwtaQwuIXfLQuitqDACfnEiS/Vbu6qFRD5Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=M7uyp9+3UYZsMlPce+LQCrJ7Mh9jaWT8DzgZ/i81PKiOYLBiYr1OIAGJMYlsqDUPar xdCd8kIEr1WJRIe1jz4jkrU3Io+yJ11zhcZ0SSSUIMGrmz2NH3ZV3wZQeuSWjo84g4bO 3ynYs5Ecw4e+1h0PhCNSUxd6dQEeKyHgaQri4= Received: by 10.216.86.195 with SMTP id w45mr948463wee.92.1295468710200; Wed, 19 Jan 2011 12:25:10 -0800 (PST) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id o33sm3846172wej.13.2011.01.19.12.25.07 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 19 Jan 2011 12:25:08 -0800 (PST) Sender: Sven Vermeulen Date: Wed, 19 Jan 2011 21:25:00 +0100 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux policy rules principles? Message-ID: <20110119202459.GA8673@siphos.be> References: <20110116150950.GA17577@siphos.be> <4D3325A7.5080101@giz-works.com> <20110119193936.GA7787@siphos.be> <4D374413.7070400@giz-works.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4D374413.7070400@giz-works.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: bcf7ce02ec5f6b4ace1bbc0b656dd2de On Wed, Jan 19, 2011 at 02:05:39PM -0600, Chris Richards wrote: > As I mentioned previously, my concern with having harmless AVCs in the > log is that we create a situation where the System Admin gets so used to > seeing all of these AVCs that he gets in the habit of ignoring them. > Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing > because it increases the likelihood of ignoring something important. > > That being said, troubleshooting a system where legitimate AVCs are > being dontaudited can be difficult, and determining if an AVC should be > dontaudited can involve digging through a LOT of code. Perhaps we > should leave the AVCs we aren't certain of for a bit, with an eye to > either dontauditing or fixing them at a later date? Hmm, perhaps with a tunable_policy called `gentoo_try_dontaudit' or something similar. The boolean could provide additional benefit as it sais to the end user "hey, if you enable this, you'll get less AVC denials but we are not fully confident yet that they are true ignorable denials", unlike the "semodule -D" approach which also disables all real ignorable dontaudit denials. Wkr, Sven Vermeulen