From: Chris Richards <gizmo@giz-works.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux policy rules principles?
Date: Wed, 19 Jan 2011 14:34:58 -0600 [thread overview]
Message-ID: <4D374AF2.9000006@giz-works.com> (raw)
In-Reply-To: <20110119202459.GA8673@siphos.be>
On 01/19/2011 02:25 PM, Sven Vermeulen wrote:
> On Wed, Jan 19, 2011 at 02:05:39PM -0600, Chris Richards wrote:
>> As I mentioned previously, my concern with having harmless AVCs in the
>> log is that we create a situation where the System Admin gets so used to
>> seeing all of these AVCs that he gets in the habit of ignoring them.
>> Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing
>> because it increases the likelihood of ignoring something important.
>>
>> That being said, troubleshooting a system where legitimate AVCs are
>> being dontaudited can be difficult, and determining if an AVC should be
>> dontaudited can involve digging through a LOT of code. Perhaps we
>> should leave the AVCs we aren't certain of for a bit, with an eye to
>> either dontauditing or fixing them at a later date?
> Hmm, perhaps with a tunable_policy called `gentoo_try_dontaudit' or
> something similar. The boolean could provide additional benefit as it sais
> to the end user "hey, if you enable this, you'll get less AVC denials but we
> are not fully confident yet that they are true ignorable denials", unlike
> the "semodule -D" approach which also disables all real ignorable dontaudit
> denials.
>
Now THAT'S an idea a like!
Later,
Chris
next prev parent reply other threads:[~2011-01-19 20:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-16 15:09 [gentoo-hardened] SELinux policy rules principles? Sven Vermeulen
2011-01-16 17:06 ` Chris Richards
2011-01-19 19:39 ` Sven Vermeulen
2011-01-19 20:05 ` Chris Richards
2011-01-19 20:25 ` Sven Vermeulen
2011-01-19 20:34 ` Chris Richards [this message]
2011-01-21 21:55 ` Sven Vermeulen
2011-01-21 22:12 ` klondike
2011-01-21 22:43 ` Chris Richards
[not found] ` <4D33455B.8050708@users.sourceforge.net>
2011-01-19 19:54 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D374AF2.9000006@giz-works.com \
--to=gizmo@giz-works.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox