http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-6dcc9a7f5f2d7e7ee033e777caacebb434713dd7
"The most common reason for a silent denial is when the policy
contains an explicit dontaudit rule to suppress audit messages. The
dontaudit rule is often used this way when a benign denial is filling
the audit logs."
..which imho should be considered a bug in 90% of the cases where it's
used - either a bug in policy, or a bug in the app.
I've seen dontaudits where the app "seems" to work (non-fatal error),
but a denial is generated, so the dontaudit was added to make it go
away. This seems completely wrong to me - I disagree with the "benign"
denial, that's just covering up functionality that doesn't work. There
should be a comment above every dontaudit that explains why it's needed,
and why this problem can't be solved otherwise. In fact... it would be
nice if every sblock of rules had a comment in front of it explaining
why it's needed in terms of application functionality.
Just my 2c.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
