[DSE-Dev] Bug#756731: Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

Mika Pflüger mika at mikapflueger.de
Fri Aug 1 09:33:22 UTC 2014

Hi Andre,

as you can see I set the severity of the "cosmetic" bug reports, where
AVCs are logged but apparently no functional degradation happens to
"minor". Often programs will use different codepaths (or do not
actually care) when something is denied (think of the equivalent of "ls
-la|grep etc" [or something along the lines which actually makes sense]
where stat'ing /dev will be prohibited. It will log an AVC, but the
program doesn't actually care). Therefore, in policy we have
"dontaudit" rules, which do deny access, but don't log AVCs. So if
functionality is not degraded, this actually looks like a missing
dontaudit rule, which is arguably only a minor error.

Also please note that updates to Debian stable are only done for at
least important bugs, so it is not really worth reporting minor bugs
against versions in stable (other than for documentation purposes), we
most likely will not actually fix them. If someone finds time, we will
however try to test if they persist in testing/unstable to try to fix
them in testing, such that the next stable release will have fewer
bugs. If you could test minor/normal bugs you find in stable in
testing/unstable (e.g. in a VM), that would actually help us a lot!

If you need some help in setting up a test environment for that, I can
help you with it (or even provide a vm to you which you can use for
testing if you do not have necessary hardware).




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20140801/20f237c7/attachment.sig>

More information about the SELinux-devel mailing list