From: Maxime Chevallier <maxime.chevallier@bootlin.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>,
Antoine Tenart <atenart@kernel.org>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules
Date: Thu, 20 Jan 2022 08:48:04 +0100 [thread overview]
Message-ID: <20220120084804.429f1d54@bootlin.com> (raw)
In-Reply-To: <20220119233944.7ba2d09f@windsurf>
Hello Thomas,
On Wed, 19 Jan 2022 23:39:44 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
>On Wed, 19 Jan 2022 23:23:32 +0100
>Giulio Benetti <giulio.benetti@benettiengineering.com> wrote:
>
>> +config BR2_REFPOLICY_DISABLE_DONTAUDIT
>> + bool "Disable dontaudit"
>
>I am still extremely confused by the name of option, with its double
>negative.
>
>When enabled, this option will disable something that doesn't audit.
>Meh.
I agree about the confusing double-negative, but it follows the SELinux
terminology from the rules syntax. My personal view is that the "make
enableaudit" target is a bit confusing already :)
>Is it possible to find a better name / description that doesn't make
>one's brain segfault when trying to understand what it does ?
Maybe we can think of an option name like
"BR2_REFPOLICY_VERBOSE_DONTAUDIT", suggesting that we're not silencing
these 'dontaudit' rules anymore ? The only actual effect is what gets
printed in the AVC logs.
>The make target that gets triggered is "enableaudit". Would it make
>sense to call this option BR2_PACKAGE_REFPOLICY_ENABLE_AUDIT ?
The more I think about that, the more I think that using
"enable/disable" here is misleading, the behaviour stays the same with
regard to what gets denied/allow, only the logs are going to change.
Thanks,
Maxime
>It would be nice to get the feedback from Antoine and/or Maxime on this.
>
>Thomas
--
Maxime Chevallier, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-01-20 7:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-28 12:52 [Buildroot] [PATCH v2] package/refpolicy: Add option to disable "dontaudit" rules Maxime Chevallier
2021-01-28 14:24 ` Antoine Tenart
2022-01-19 22:23 ` [Buildroot] [PATCH v3] " Giulio Benetti
2022-01-19 22:39 ` Thomas Petazzoni
2022-01-19 23:56 ` Giulio Benetti
2022-01-20 7:48 ` Maxime Chevallier [this message]
2022-01-20 9:29 ` Antoine Tenart
2022-01-23 22:21 ` Giulio Benetti
2022-01-24 8:44 ` Antoine Tenart
2022-01-24 8:59 ` Giulio Benetti
2022-01-24 9:06 ` Antoine Tenart
2022-01-24 9:20 ` Giulio Benetti
2022-01-24 9:29 ` Antoine Tenart
2022-01-24 9:32 ` Giulio Benetti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220120084804.429f1d54@bootlin.com \
--to=maxime.chevallier@bootlin.com \
--cc=atenart@kernel.org \
--cc=buildroot@buildroot.org \
--cc=giulio.benetti@benettiengineering.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox