From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: I get getattr denials for all the restricted types in my home directory. That's because browsing applications get inside a folder they can get to and try to getattr on everything there. That's common to nautilus, mplayer (it has a file browser), probably mozilla and anything that can browse around. That include samba. All I did was mount my home directory, and ls inside, and I got about 20 denials for various types there. For mplayer I did: dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr }; Is this wrong? There should be a standard way of solving this problem - maybe a macro that can be used for all those applications. Also, what exactly is the difference between an allow rule and a dontaudit rule? Version-Release number of selected component (if applicable): selinux-policy-strict-1.21.5-2 How reproducible: Always Steps to Reproduce: 1. See summary Additional info:
For example, why is the following necessary? It makes sense to me that I should be able to see all the info. Why not make a macro for such things that does not audit getattr. [phantom@cobra ~]$ ls -lZ /var ?--------- ? ? account drwxr-xr-x root root system_u:object_r:var_t cache drwxr-xr-x root root system_u:object_r:var_t db drwxr-xr-x root root system_u:object_r:var_t empty ?--------- ? ? gdm drwxr-xr-x root root system_u:object_r:var_lib_t lib drwxr-xr-x root root system_u:object_r:var_t local ?--------- ? ? lock drwxr-xr-x root root system_u:object_r:var_log_t log ?--------- ? ? mail ?--------- ? ? named drwx------ root root system_u:object_r:var_t net-snmp drwxr-xr-x root root system_u:object_r:var_t nis drwxr-xr-x root root system_u:object_r:var_t opt drwxr-xr-x root root system_u:object_r:var_t preserve drwxr-xr-x root root system_u:object_r:var_run_t run drwxr-xr-x root root system_u:object_r:var_spool_t spool drwxrwxrwt root root system_u:object_r:tmp_t tmp drwxr-xr-x root root system_u:object_r:httpd_sys_content_t www ?--------- ? ? yp
This should be brought up for discussion on the selinux list. Also, what exactly is the difference between an allow rule and a dontaudit rule? Allow allows the action to happen. Dontaudit does not allow the action to happen but doesn't audit it. I am not sure what the best thing to do here is. By using the dontaudit, you could loose valuable security information. IE a rogue app searching your file system.
Closed (for now :)