From: Maxime Chevallier <maxime.chevallier@bootlin.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>,
Antoine Tenart <atenart@kernel.org>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules
Date: Thu, 20 Jan 2022 08:48:04 +0100 [thread overview]
Message-ID: <20220120084804.429f1d54@bootlin.com> (raw)
In-Reply-To: <20220119233944.7ba2d09f@windsurf>
Hello Thomas,
On Wed, 19 Jan 2022 23:39:44 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
>On Wed, 19 Jan 2022 23:23:32 +0100
>Giulio Benetti <giulio.benetti@benettiengineering.com> wrote:
>
>> +config BR2_REFPOLICY_DISABLE_DONTAUDIT
>> + bool "Disable dontaudit"
>
>I am still extremely confused by the name of option, with its double
>negative.
>
>When enabled, this option will disable something that doesn't audit.
>Meh.
I agree about the confusing double-negative, but it follows the SELinux
terminology from the rules syntax. My personal view is that the "make
enableaudit" target is a bit confusing already :)
>Is it possible to find a better name / description that doesn't make
>one's brain segfault when trying to understand what it does ?
Maybe we can think of an option name like
"BR2_REFPOLICY_VERBOSE_DONTAUDIT", suggesting that we're not silencing
these 'dontaudit' rules anymore ? The only actual effect is what gets
printed in the AVC logs.
>The make target that gets triggered is "enableaudit". Would it make
>sense to call this option BR2_PACKAGE_REFPOLICY_ENABLE_AUDIT ?
The more I think about that, the more I think that using
"enable/disable" here is misleading, the behaviour stays the same with
regard to what gets denied/allow, only the logs are going to change.
Thanks,
Maxime
>It would be nice to get the feedback from Antoine and/or Maxime on this.
>
>Thomas
--
Maxime Chevallier, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-01-20 7:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-28 12:52 [Buildroot] [PATCH v2] package/refpolicy: Add option to disable "dontaudit" rules Maxime Chevallier
2021-01-28 14:24 ` Antoine Tenart
2022-01-19 22:23 ` [Buildroot] [PATCH v3] " Giulio Benetti
2022-01-19 22:39 ` Thomas Petazzoni
2022-01-19 23:56 ` Giulio Benetti
2022-01-20 7:48 ` Maxime Chevallier [this message]
2022-01-20 9:29 ` Antoine Tenart
2022-01-23 22:21 ` Giulio Benetti
2022-01-24 8:44 ` Antoine Tenart
2022-01-24 8:59 ` Giulio Benetti
2022-01-24 9:06 ` Antoine Tenart
2022-01-24 9:20 ` Giulio Benetti
2022-01-24 9:29 ` Antoine Tenart
2022-01-24 9:32 ` Giulio Benetti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220120084804.429f1d54@bootlin.com \
--to=maxime.chevallier@bootlin.com \
--cc=atenart@kernel.org \
--cc=buildroot@buildroot.org \
--cc=giulio.benetti@benettiengineering.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.