On Mon, 2009-04-20 at 14:55 -0400, James Carter wrote: > On Mon, 2009-04-20 at 11:11 -0400, Eric Paris wrote: > > I strongly and vehemently oppose any solution that is a blanket > > dontaudit on access calls, even if there is a flag to dontdonaudit. > > This might be fine in "secure" shops where everyone understands and is > > willing to suffer some extra SELinux pain but not here. If SELinux gets > > in the way it better scream to high heavens for my customers. > > > > I think that what we need is a check to see if the domain is allowed to > call access() on the object. If it is not allowed, then a denial is > generated; if it is, then the results of the desired permission check is > returned, but denials are not audited. > > This would better reflect what is actually happening. When a domain > calls access(), it is really reading the security properties of the > object. Your still just talking about a big global dontaudit hammer on the EACCESS people get back from access(). Not only that, you propose a new permission every domain needs of which I don't see any security benefit (outside of maybe helping make sure people can't probe policy willy nilly). If access() had better return semantics than yes/no this might be a good approach, but I don't see how a single extra perm helps anything and I'm still railing against the global dontaudit hammer. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
