From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 2 Mar 2011 15:47:03 +0100
Subject: [refpolicy] [PATCH 18/34]: patch for the policykit module
 (labeling, start from dbus, read xdm files)
In-Reply-To: <4D6E4B6A.5090708@tresys.com>
References: <1297837325.3205.75.camel@tesla.lan> <4D6BA982.6070101@tresys.com>
	<1298920070.3123.9.camel@tesla.lan> <4D6D4500.2080508@tresys.com>
	<1299019647.14035.81.camel@tesla.lan> <4D6E4B6A.5090708@tresys.com>
Message-ID: <20110302144702.GA20297@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Mar 02, 2011 at 08:51:38AM -0500, Christopher J. PeBenito wrote:
[... About when dontaudit is advantageous ...]
> In general, anything that is not required should be denied.  We do not
> want to fill up the logs with extraneous denial messages, so we
> dontaudit them.  If there is a question of denials being suppressed by
> dontaudits, thats why we have semodule -D.

Yup.

What we do within Gentoo Hardened during the policy development is to
embrace the dontaudits that we *think* can be used within a tunable
(gentoo_try_dontaudit). It allows us and testers to validate if the policy
is good (and doesn't fill the audit logs with unnecessary denials) but still
leave some granularity (the boolean) before really disabling all dontaudit
statements.

Eventually, when we're more confident that the dontaudit is really
opportunistic, then we'll remove it from the tunable and also suggest it for
inclusion in the reference policy.

Wkr,
	Sven Vermeulen