On Thu, Sep 10, 2020 at 7:33 AM Richard Hughes <hughsi...@gmail.com> wrote: > > On Thu, 10 Sep 2020 at 10:17, Tom Hughes <t...@compton.nu> wrote: > > > Speaking from personal experience, I've wasted days over the last > > > decade trying to debug a locally installed system service that was not > > > working where there were no messages in any of the logs (e.g. no AVCs) > > > -- and turning off selinux at runtime magically fixed the problem. > > > > Some selinux rules are marked to not generate AVCs... > > Why!? There's sometimes no log output anywhere obvious that a syscall > or something was blocked. It's the reason I turn off selinux on my > work development machine, and I've often wasted *hours* of my life on > code "doing something impossible" over the last decade until a neuron > at the back of my brain remembers "you've not yet turned off selinux" > and then when I "sudo setenforce 0" it works, and I can't actually > file a bug as there's no indication of what selinux actually blocked > or why. >
Because Red Hat customers put the SELinux policy developers into no-win situations: they complain about AVC denials that don't actually significantly break anything in *their* app and often just disable SELinux in those scenarios. Red Hat wants customers to use it and not freak out all the time, so these kinds of things get added because it is very hard to come up with the right rules for all cases and there's not enough time to work on that. (I know for a fact that more than a few dontaudit rules were the result of those kinds of conversations, because I witnessed them) -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
