| Message ID | 20220921185426.1663357-1-jeffxu@chromium.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT | expand |
On 9/21/2022 11:54 AM, jeffxu@chromium.org wrote: > From: Jeff Xu <jeffxu@chromium.org> > > This patch was originally developed by Luis Hector Chavez > <lhchavez@chromium.org> > > For systems that use SECURITY_SELINUX_DEVELOP=y and allow permissive > domains. The audit log from permissive domains can be excessive in > practice, and this patch is useful to avoid the log spam. Doesn't this defeat the purpose of permissive mode? If you aren't logging the events that would have failed how can you learn what policy you should have? > > Luis Hector Chavez (1): > Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT > > security/selinux/Kconfig | 10 ++++++++++ > security/selinux/avc.c | 9 +++++++++ > 2 files changed, 19 insertions(+) > > -- > 2.37.3.968.ga6b4b080e4-goog >
From: Jeff Xu <jeffxu@chromium.org> This patch was originally developed by Luis Hector Chavez <lhchavez@chromium.org> For systems that use SECURITY_SELINUX_DEVELOP=y and allow permissive domains. The audit log from permissive domains can be excessive in practice, and this patch is useful to avoid the log spam. Luis Hector Chavez (1): Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT security/selinux/Kconfig | 10 ++++++++++ security/selinux/avc.c | 9 +++++++++ 2 files changed, 19 insertions(+) -- 2.37.3.968.ga6b4b080e4-goog