From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PfeJ9-0003Pi-K6 for garchives@archives.gentoo.org; Wed, 19 Jan 2011 20:07:07 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C8305E0790; Wed, 19 Jan 2011 20:05:42 +0000 (UTC) Received: from mail.aoaforums.com (www.aoaforums.com [174.123.188.106]) by pigeon.gentoo.org (Postfix) with ESMTP id 9FC8EE0790 for ; Wed, 19 Jan 2011 20:05:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.aoaforums.com (Postfix) with ESMTP id 20C3E99028 for ; Wed, 19 Jan 2011 20:05:42 +0000 (GMT) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.aoaforums.com 20C3E99028 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=giz-works.com; s=20080229-giz-works-com; t=1295467542; bh=i/C2jsW4kFlQEak8P6pceZXc6fM=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=p+k8uEZBR+lcdI/jJCEo87NcRp1v/pTJ3S+NuIUjVCSzX+dUHp4Obxp85u0OpvH6t nbkgQrZo32VeM8yps0o7kHvt/vRou0yrTosLt4b77x4FfdLjj47cHC27vH8iMC9YgG 4ULhGbhJhBrxOCWmEuLXk0P241NSArrCgDVjNSsQ= X-Virus-Scanned: amavisd-new at aoaforums.com Received: from mail.aoaforums.com ([127.0.0.1]) by localhost (aoaforums.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdkXF15LQLCG for ; Wed, 19 Jan 2011 20:05:40 +0000 (GMT) Received: from [10.0.0.17] (adsl-70-134-53-63.dsl.spfdmo.swbell.net [70.134.53.63]) by mail.aoaforums.com (Postfix) with ESMTPSA id 96E7199002 for ; Wed, 19 Jan 2011 20:05:40 +0000 (GMT) Message-ID: <4D374413.7070400@giz-works.com> Date: Wed, 19 Jan 2011 14:05:39 -0600 From: Chris Richards User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux policy rules principles? References: <20110116150950.GA17577@siphos.be> <4D3325A7.5080101@giz-works.com> <20110119193936.GA7787@siphos.be> In-Reply-To: <20110119193936.GA7787@siphos.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: feaf0dffdeee9e3224daccee5c40c0e8 On 01/19/2011 01:39 PM, Sven Vermeulen wrote: > So you want the application to function properly and that the logs have no > "cosmetic" AVC denials (fine - fully agree here). One thing that I can't > gather from this is > - do you want to dontaudit the AVC denials which apparently have no impact > on functionality, or > - do you want to allow the AVC denials even though they have no impact on > functionality > > I personally don't mind having Gentoo Hardened pick the latter (we use > SELinux to confine applications in the manner that no denial should ever be > triggered as long as the application doesn't go beyond what it is programmed > to do). Even though it might not be within the principle of "least > privilege" (only allow what it needs), at least it gives the SELinux policy > developer a clearer scope of his tasks. > > The problem with the first approach is that other users have a higher > likelihood of having a malfunctioning system than with the last (what the > developer sees as cosmetic might be important on other systems). > As I mentioned previously, my concern with having harmless AVCs in the log is that we create a situation where the System Admin gets so used to seeing all of these AVCs that he gets in the habit of ignoring them. Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing because it increases the likelihood of ignoring something important. That being said, troubleshooting a system where legitimate AVCs are being dontaudited can be difficult, and determining if an AVC should be dontaudited can involve digging through a LOT of code. Perhaps we should leave the AVCs we aren't certain of for a bit, with an eye to either dontauditing or fixing them at a later date? Later, Chris