Add SELinux permissive domains to fedora kernels

Daniel J Walsh dwalsh at redhat.com
Tue Apr 1 04:42:37 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Katz wrote:
> On Mon, 2008-03-31 at 14:07 -0400, Eric Paris wrote:
>> I know its way late but I'd like to add a new SELinux concept to the F9
>> kernels.  Its going to be a backport of a couple of my changesets headed
>> upstream
> 
> As a cranky release engineering person, no no no no no no
> 
> We have a feature freeze for a reason, the kernel doesn't get a blank
> check to get past it.  If it was that important, it would have been done
> in time for the freeze.  The next release is in six months, so it's not
> like it's that long to have to wait
> 
> Jeremy
> 
I can go either way whether this goes in or not.  The userspace updates
are done, The only change would be to modify some tools to quickly build
a policy module to make a domain permissive.

Permissive domains is a great new feature though:

If gives users the following:

1. Some Wall Street customers originally brought up the idea.  They want
to be able to build a policy package to confine an application and after
testing destribute it to their systems as a permissive domain.  Then run
it for a couple of months, once they are convinced that it will not
break anything, they can turn it to an enforcing domain.  We could start
doing similar things for new confined domains in Rawhide.
2.  We have a regression reported against Fedora since Fedora 7 that
complained when we removed *disable_trans booleans.  These were removed
because disabling a transition in one domain could effect another domain
by not setting the file context correctly.  So permissive domains would
be a great replacement for disable_trans.
3 Finally when a user builds a new policy for a domain, we tell them to
use tools to build a framework for policy and install the new domain and
setup labeling.  Then we tell them to put the machine in permissive mode
to run the app, and gather AVCs.  This change would allow you to leave
your entire machine in enforcing mode while you run your new domain in
permissive mode, gathering the AVCs.
4. Some times people are convinced SELinux is causing a application to
break, one way we tell them to test whether SELinux is the culprit is
put the machine in permissive mode and see if the app still breaks,
permissive domains would give us the ability to only put one domain in
permissive mode.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfxvT0ACgkQrlYvE4MpobP7GQCghAtXhGE4ivis+KELOhxqYU4t
6bUAn2T1HrtPWTE3ppu80KgCjf46nePW
=sjft
-----END PGP SIGNATURE-----

More information about the Fedora-kernel-list mailing list