LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

audit2allow is not that hard for developers

audit2allow is not that hard for developers

Posted Oct 16, 2008 18:47 UTC (Thu) by dwheeler (guest, #1216)
Parent article: SELinux permissive domains

audit2allow really isn't that hard for developers to deal with. It'll tell them exactly what operation was tried, on exactly what (e.g., which file). Developers of the application can usually quickly figure out whether or not that's reasonable. The problem is when END-USERS try to deal with audit2allow; end-users typically don't know enough about the application to know if something was "reasonable". So as a long as _developers_ are using audit2allow to refine the policy, it's probably a really good thing.

(Log in to post comments)

audit2allow is not that hard for developers

Posted Oct 16, 2008 20:07 UTC (Thu) by Hawke (subscriber, #6978) [Link]

All the more reason for SELinux policies to be created by the developers most familiar with their applications, rather than by the SELinux developers or by distributions.

audit2allow is not that hard for developers

Posted Oct 17, 2008 9:42 UTC (Fri) by ballombe (subscriber, #9523) [Link]

There is also the benefit that developers can sometimes decide that the application behavior is not reasonable and fix the application instead of the policy.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds