On 01/19/2011 01:39 PM, Sven Vermeulen wrote:
So you want the application to function properly and that the logs have no
"cosmetic" AVC denials (fine - fully agree here). One thing that I can't
gather from this is
- do you want to dontaudit the AVC denials which apparently have no impact
on functionality, or
- do you want to allow the AVC denials even though they have no impact on
functionality
I personally don't mind having Gentoo Hardened pick the latter (we use
SELinux to confine applications in the manner that no denial should ever be
triggered as long as the application doesn't go beyond what it is programmed
to do). Even though it might not be within the principle of "least
privilege" (only allow what it needs), at least it gives the SELinux policy
developer a clearer scope of his tasks.
The problem with the first approach is that other users have a higher
likelihood of having a malfunctioning system than with the last (what the
developer sees as cosmetic might be important on other systems).
As I mentioned previously, my concern with having harmless AVCs in the
log is that we create a situation where the System Admin gets so used to
seeing all of these AVCs that he gets in the habit of ignoring them.
Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing
because it increases the likelihood of ignoring something important.
That being said, troubleshooting a system where legitimate AVCs are
being dontaudited can be difficult, and determining if an AVC should be
dontaudited can involve digging through a LOT of code. Perhaps we
should leave the AVCs we aren't certain of for a bit, with an eye to
either dontauditing or fixing them at a later date?
Later,
Chris
