On 01/19/2011 02:25 PM, Sven Vermeulen wrote:
On Wed, Jan 19, 2011 at 02:05:39PM -0600, Chris Richards wrote:
As I mentioned previously, my concern with having harmless AVCs in the
log is that we create a situation where the System Admin gets so used to
seeing all of these AVCs that he gets in the habit of ignoring them.
Being in the habit of ignoring stuff in the logs is, IMO, a Bad Thing
because it increases the likelihood of ignoring something important.
That being said, troubleshooting a system where legitimate AVCs are
being dontaudited can be difficult, and determining if an AVC should be
dontaudited can involve digging through a LOT of code. Perhaps we
should leave the AVCs we aren't certain of for a bit, with an eye to
either dontauditing or fixing them at a later date?
Hmm, perhaps with a tunable_policy called `gentoo_try_dontaudit' or
something similar. The boolean could provide additional benefit as it sais
to the end user "hey, if you enable this, you'll get less AVC denials but we
are not fully confident yet that they are true ignorable denials", unlike
the "semodule -D" approach which also disables all real ignorable dontaudit
denials.
Now THAT'S an idea a like!
Later,
Chris
