SELinux permissive domains in non-Fedora tree

Daniel J Walsh dwalsh at
Fri Jun 5 13:24:02 UTC 2009

On 06/05/2009 08:51 AM, Stephen Smalley wrote:
> On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote:
>> I was much cheered last year to see Dan's permissive domains feature
>> make it into the Fedora Policy, as per his livejournal article:
>> I had rather rashly hoped that this would make it into the main RedHat
>> tree quite quickly as it seems so very useful for testing new applications.
>> Sadly, it doesn't appear to exist in one of my CentOS5.3 instances
>> running these versions - at least "semanage --help" suggests that it's
>> not there, and I'm assuming
>> that CentOS5.3 is near enough in policy version to RHEL5 to show that
>> RHEL5 lacks the feature:
>> $ rpm -q policycoreutils selinux-policy-targeted kernel
>> policycoreutils-1.33.12-14.2.el5
>> selinux-policy-targeted-2.4.6-203.el5
>> kernel-2.6.18-92.el5
>> kernel-2.6.18-128.1.10.el5
>> but of course it does exist in my F10 instance running these:
>> $ rpm -q policycoreutils selinux-policy-targeted kernel
>> policycoreutils-2.0.57-14.fc10.i386
>> selinux-policy-targeted-3.5.13-38.fc10.noarch
>> kernel-
>> Is there a timescale for adding this feature to RHEL5, or will it have
>> to wait until RHEL6? Is there some sort of workaround to run the F10 policy
>> on a CentOS5 box to get the feature, or does that simply involve so many
>> version changes to umpteen other packages as to be a fruitless exercise?
> I can't speak to your question about when or whether it would be
> backported to RHEL5, but it would require back porting the patches to
> the kernel, libsepol, checkpolicy, and policycoreutils (semanage).  And
> due to the incremental nature of the binary policy format versions, they
> would also have to back port the policy capabilities patches.  It would
> certainly be a nice feature to have in RHEL5.
Well backporting major features to RHEL5 is frowned upon from a risk 
factor.   So I do not see this feature being back ported.  We will be 
releaseing semodule -DB in RHEL5.4 though.

More information about the fedora-selinux-list mailing list