>>>>> Personally, I'm not thrilled by the idea of sticking in dontaudit rules >>>>> to quiet complaints at boot time that are caused by directories that >>>>> are mislabelled. >>>> Why not? >>> I can't speak for Valdis, but for me the word "kludge" comes to mind. >> It's not a kludge. The purpose of dontaudit rules is to prevent auditing of >> operations that are not permitted, not interesting, and expected to happen. >> This is exactly the situation. > You say that dontaudit rules are to cover the following circumstances: > > 1. Not permitted. > 2. Not interesting. > 3. Expected to happen. > > That's not what's going on here and using dontaudit is a kludge. The > OP is stating that *mount points* for /usr, /usr/local, and > /usr/share are generating complaints because they're not properly > labled prior to being mounted. These are the directories themselves > and not directories that are hidden by the mount. This is > "interesting" and "not expected to happen," failing points 2 and 3. > > Regardless if the fix can be automated or not, telling the system to > "just ignore it" is inappropriate IMO. One thing I have noticed is that dontaudit messages occasionally get in the way when trying to modify the policy. When using the strict policy, I've had a few situations where something was denied by SELinux but not audited and I had trouble determining what rules where blocking the operation. -- Mike :wq -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
