The selinux-policy maintainers sometimes set new rules to permissive to give users time to report denials and fix those before flipping the switch to enforcing. We haven't been noticing the new denials until the switch to enforcing happens because we currently don't report tests with SELinux denials as failing. We should fix that.
Also, when reporting denials to the policy maintainers, it's helpful to them to include the audit logs. So we need to archive that information too alongside the console and journal.
The selinux-policy maintainers sometimes set new rules to permissive to give users time to report denials and fix those before flipping the switch to enforcing. We haven't been noticing the new denials until the switch to enforcing happens because we currently don't report tests with SELinux denials as failing. We should fix that.
Also, when reporting denials to the policy maintainers, it's helpful to them to include the audit logs. So we need to archive that information too alongside the console and journal.
There's a lot of discussions and code in https://github.com/coreos/coreos-assembler/pull/2067 related to this.
Briefly:
kola-denylist.yaml