--- On Sat, 9/12/09, Eric Paris eparis@redhat.com wrote:
From: Eric Paris eparis@redhat.com Subject: Re: too many sealerts, most have been reported, and still see denials To: "Antonio Olivares" olivares14031@yahoo.com Cc: "Justin P. Mattock" justinmattock@gmail.com, fedora-selinux-list@redhat.com Date: Saturday, September 12, 2009, 4:07 PM On Sat, 2009-09-12 at 13:55 -0700, Antonio Olivares wrote:
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable
then
you should be fine).
I knew that ahead of time, but it did not seem to be
this troublesome this time with Fedora 12. I have been testing since Fedora 5 Test 2 release and have not encountered as many denials as I have in this Fedora 12 testing phase. Guess many don't complain because they run selinux disabled selinux=0, or enforcing=0 so they don't care to report the issues?
No, the vast majority of the 'denials' aren't actually denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every time there is no allow rule for a given request.
This has helped to define the actual needs of many of the unconfined domains. And hopefully we can remove them entirely in the future. Please keep filing bugs.
Thanks for encouraging me to keep filing bugs. I will continue running it and report errors whenever I can. I hope that the bug reporter works, because it breaks once in a while :(
It's no surprise you are getting more messages, but it shouldn't be really different than in previous development for the number of problems it actually causes.
-Eric
Regards,
Antonio