[Question] How enforcing and permissive differ on start-up

[Shintaro Fujiwara]

2007/12/10, Stephen Smalley <sds at tycho.nsa.gov>:
> On Sat, 2007-12-08 at 22:47 +0900, Shintaro Fujiwara wrote:
> > Hi, I have a question on differences between permissve and enforcing.
> >
> > I installed courier-imap from source (as always), and configured
> > courier.te, courier.fc just to apply installation-path to souece installation.
> >
> > There are two say, daemons, courier_$1_t, i.e. courier_authdaemon_t,
> > and I had to declair
> > domain_auto_trans(initrc_t, courier_exec_t, courier_t)
> > (courier_t was not declared in courier.te, so I did)
> > as I declared starting script in /etc/rc.d/rc.local.
> >
> > I set selinux enforcing and found that courier_authdaemon_t started all-right,
> > but courier_t not.
> > When I set selinux permissive, it started all-right.
> >
> > How should I fix this problem ?
>
> Just to clarify, there is a difference between permissive and enforcing
> with regard to type transitions.  In permissive, if the type transition
> would yield an invalid context (e.g. role is not authorized for the new
> type), it nonetheless is allowed to proceed, whereas in enforcing mode,
> it fails.

I had a same kind of problem on cron in F6.
I solved it somehow at the time, though.
Now I'm trying to configure bind and it does not start up even in permissive.
I think something is wrong with the application itself?
I will ask again if I have a question on SELinux related matters.
Thanks !

> --
> Stephen Smalley
> National Security Agency
>
>


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/