On Tue, Feb 26, 2019 at 04:20:42PM -0600, Ted Toth wrote:
> The RHEL version of the auth_role macro which we are getting through
> our use of userdom_unpriv_user_template uses logging_send_audit_msgs
> which give a type the audit_write capability and allow rules for a
> number of netlink_audit_socket operations. It seem counterintuitive to
> give an unprivileged user type audit write related policy.The
> ref-policy version of auth_role does not use logging_send_audit_msgs.
> We're considering patching our policy but I wanted to see what others
> though about giving unprivileged user types this policy?
> 
> Ted

I think this should indeed probably be dontaudited (i have a few of those in my policy as well, so do as i say not as i do)

Might have been added because of some unpriviliged user space object manager trying to log to audit. These would not have been allowed anyway.

XSELinux, old dbus come to mind.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift