On 3/20/19 10:56 AM, SZIGETVÁRI János wrote:
Hi Stephen,
I have to admit, I forgot to mention, that I was creating the policy on
RHEL 7.5, not Fedora.
Nonetheless, the same appears to be true on Fedora. dontaudit rules for
all domains obviously make it harder to debug and develop policies for
new domains. They should be kept to a minimum.
I suspect these rules were to silence "noisy" denials when sockets are
created without SOCK_CLOEXEC and then the process execs into a different
domain. But a) in some of those cases, we probably do need/want to
allow inheritance, so we need to see those denials, and b) we shouldn't
silence the self case. Unfortunately we don't have a way to write rules
that exclude self currently.
Sorry about that!
János
Stephen Smalley <sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>> ezt írta
(időpont: 2019. márc. 20., Sze, 15:45):
Obvious question is why are these being dontaudit'd by Fedora policy.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
