SELinux permissive domains in non-Fedora tree

Stephen Smalley sds at
Fri Jun 5 12:51:12 UTC 2009

On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote:
> I was much cheered last year to see Dan's permissive domains feature
> make it into the Fedora Policy, as per his livejournal article:
> I had rather rashly hoped that this would make it into the main RedHat
> tree quite quickly as it seems so very useful for testing new applications.
> Sadly, it doesn't appear to exist in one of my CentOS5.3 instances
> running these versions - at least "semanage --help" suggests that it's
> not there, and I'm assuming
> that CentOS5.3 is near enough in policy version to RHEL5 to show that
> RHEL5 lacks the feature:
> $ rpm -q policycoreutils selinux-policy-targeted kernel
> policycoreutils-1.33.12-14.2.el5
> selinux-policy-targeted-2.4.6-203.el5
> kernel-2.6.18-92.el5
> kernel-2.6.18-128.1.10.el5
> but of course it does exist in my F10 instance running these:
> $ rpm -q policycoreutils selinux-policy-targeted kernel
> policycoreutils-2.0.57-14.fc10.i386
> selinux-policy-targeted-3.5.13-38.fc10.noarch
> kernel-
> Is there a timescale for adding this feature to RHEL5, or will it have
> to wait until RHEL6? Is there some sort of workaround to run the F10 policy
> on a CentOS5 box to get the feature, or does that simply involve so many
> version changes to umpteen other packages as to be a fruitless exercise?

I can't speak to your question about when or whether it would be
backported to RHEL5, but it would require back porting the patches to
the kernel, libsepol, checkpolicy, and policycoreutils (semanage).  And
due to the incremental nature of the binary policy format versions, they
would also have to back port the policy capabilities patches.  It would
certainly be a nice feature to have in RHEL5.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list