[Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules

[Maxime Chevallier]

Hello Thomas,

On Wed, 19 Jan 2022 23:39:44 +0100
Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:

>On Wed, 19 Jan 2022 23:23:32 +0100
>Giulio Benetti <giulio.benetti at benettiengineering.com> wrote:
>
>> +config BR2_REFPOLICY_DISABLE_DONTAUDIT
>> +	bool "Disable dontaudit"  
>
>I am still extremely confused by the name of option, with its double
>negative.
>
>When enabled, this option will disable something that doesn't audit.
>Meh.

I agree about the confusing double-negative, but it follows the SELinux
terminology from the rules syntax. My personal view is that the "make
enableaudit" target is a bit confusing already :)

>Is it possible to find a better name / description that doesn't make
>one's brain segfault when trying to understand what it does ?

Maybe we can think of an option name like
"BR2_REFPOLICY_VERBOSE_DONTAUDIT", suggesting that we're not silencing
these 'dontaudit' rules anymore ? The only actual effect is what gets
printed in the AVC logs.

>The make target that gets triggered is "enableaudit". Would it make
>sense to call this option BR2_PACKAGE_REFPOLICY_ENABLE_AUDIT ?

The more I think about that, the more I think that using
"enable/disable" here is misleading, the behaviour stays the same with
regard to what gets denied/allow, only the logs are going to change.

Thanks,

Maxime

>It would be nice to get the feedback from Antoine and/or Maxime on this.
>
>Thomas



-- 
Maxime Chevallier, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com