The story behind by default permissive domains

[Daniel J Walsh]

On 11/24/2009 12:23 PM, Göran Uddeborg wrote:
> After switching to F12 policy I've started getting SELinux alerts from
> setroubleshoot looking like this
> 
>     Summary:
> 
>     SELinux is preventing ntop (ntop_t) "create" ntop_t.
> 
>     Detailed Description:
> 
>     [ntop has a permissive type (ntop_t). This access was not denied.]
> 
> I thought permissive domains was meant as a debugging and development
> tool.  But I haven't (knowingly) made ntop_t permissive.  And the
> command suggested in the user guide, semodule -l | grep permissive,
> returns nothing.
> 
> So it seems ntop_t is permissive by default somehow.  Is the reasoning
> behind domains that are permissive by default documented somewhere?  A
> blog I should read or so?  Can I find out what other domains are also
> permissive?
> 
> (I haven't yet upgraded ntop to F12, so this particular AVC might be
> because I run an old version.  This mail is a question about the
> concept of domains that are permissive from the start, not this AVC.)
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
Our thoughts on permissive domains was when we introduce a new domain during a release, we will run it permissive until the end of a release.  ntop was added to F12, it is permissive until F13,  In F13 it will be enforcing.  This allows us to get all of the AVC messages for ntop without blowing it up in the real world.  I don't remember if I blogged on this idea, or not.