Hi Stephen, The rule is there for almost 9 years. https://github.com/fedora-selinux/selinux-policy/commit/54f9ea9e7ccf243b0fbdbeefffb017d95f647cd2 I have no problem to remove it. Lukas. On 3/20/19 4:10 PM, Stephen Smalley wrote: > On 3/20/19 10:56 AM, SZIGETVÁRI János wrote: >> Hi Stephen, >> >> I have to admit, I forgot to mention, that I was creating the policy >> on RHEL 7.5, not Fedora. > > Nonetheless, the same appears to be true on Fedora. dontaudit rules for > all domains obviously make it harder to debug and develop policies for > new domains. They should be kept to a minimum. > > I suspect these rules were to silence "noisy" denials when sockets are > created without SOCK_CLOEXEC and then the process execs into a different > domain. But a) in some of those cases, we probably do need/want to > allow inheritance, so we need to see those denials, and b) we shouldn't > silence the self case. Unfortunately we don't have a way to write rules > that exclude self currently. > >> >> Sorry about that! >> János >> >> Stephen Smalley <sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>> ezt >> írta (időpont: 2019. márc. 20., Sze, 15:45): >> >> >> Obvious question is why are these being dontaudit'd by Fedora policy. >> > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
