On Wed, Jan 19, 2011 at 02:05:39PM -0600, Chris Richards wrote:
> As I mentioned previously, my concern with having harmless AVCs in the
> log is that we create a situation where the System Admin gets so used to
> seeing all of these AVCs that he gets in the habit of ignoring them.
> Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing
> because it increases the likelihood of ignoring something important.
>
> That being said, troubleshooting a system where legitimate AVCs are
> being dontaudited can be difficult, and determining if an AVC should be
> dontaudited can involve digging through a LOT of code. Perhaps we
> should leave the AVCs we aren't certain of for a bit, with an eye to
> either dontauditing or fixing them at a later date?
Hmm, perhaps with a tunable_policy called `gentoo_try_dontaudit' or
something similar. The boolean could provide additional benefit as it sais
to the end user "hey, if you enable this, you'll get less AVC denials but we
are not fully confident yet that they are true ignorable denials", unlike
the "semodule -D" approach which also disables all real ignorable dontaudit
denials.
Wkr,
Sven Vermeulen
