On Thu, Sep 10, 2020 at 2:28 PM Richard Hughes <hughsient@xxxxxxxxx> wrote: > On Thu, 10 Sep 2020 at 12:38, Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > Because Red Hat customers put the SELinux policy developers into > > no-win situations: they complain about AVC denials that don't actually > > significantly break anything in *their* app > > My response to that would be to ship a "AVC ignore-list" config file > in userspace alongside the customer application -- rather than just > pretending that SELinux didn't do anything at all for all apps. That has another disadvantage, though: all the false-positive denials would then fill up the audit log (the frequency can be quite high), i.e. either taking up extra space on disk or pushing out other, potentially valuable, audit records. Not to mention the CPU cycles wasted by the audit stack to process the records. Dontaudit by default + semodule -DB for debugging is IMHO the only reasonable compromise. Anyway, this is getting off-topic w,r,t. the proposal. Please start a new thread if you want to continue discussing dontaudit rules. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
