On Mon, 2009-04-20 at 15:08 -0400, Eric Paris wrote: > On Mon, 2009-04-20 at 14:55 -0400, James Carter wrote: > > On Mon, 2009-04-20 at 11:11 -0400, Eric Paris wrote: > > > > I strongly and vehemently oppose any solution that is a blanket > > > dontaudit on access calls, even if there is a flag to dontdonaudit. > > > This might be fine in "secure" shops where everyone understands and is > > > willing to suffer some extra SELinux pain but not here. If SELinux gets > > > in the way it better scream to high heavens for my customers. > > > > > > > I think that what we need is a check to see if the domain is allowed to > > call access() on the object. If it is not allowed, then a denial is > > generated; if it is, then the results of the desired permission check is > > returned, but denials are not audited. > > > > This would better reflect what is actually happening. When a domain > > calls access(), it is really reading the security properties of the > > object. > > Your still just talking about a big global dontaudit hammer on the > EACCESS people get back from access(). Not only that, you propose a new > permission every domain needs of which I don't see any security benefit > (outside of maybe helping make sure people can't probe policy willy > nilly). > If you don't care whether or not someone is probing the policy, then why not just always use the _noaudit interfaces? What is the security benefit of the access_* permissions? It looks like they are only going to be used to determine if a denial should be generated. > If access() had better return semantics than yes/no this might be a good > approach, but I don't see how a single extra perm helps anything and I'm > still railing against the global dontaudit hammer. > > -Eric -- James Carter <jwcart2@xxxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
