The story behind by default permissive domains
Dominick Grift
domg472 at gmail.com
Tue Nov 24 18:18:57 UTC 2009
On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote:
> After switching to F12 policy I've started getting SELinux alerts from
> setroubleshoot looking like this
>
> Summary:
>
> SELinux is preventing ntop (ntop_t) "create" ntop_t.
>
> Detailed Description:
>
> [ntop has a permissive type (ntop_t). This access was not denied.]
>
> I thought permissive domains was meant as a debugging and development
> tool. But I haven't (knowingly) made ntop_t permissive. And the
> command suggested in the user guide, semodule -l | grep permissive,
> returns nothing.
>
> So it seems ntop_t is permissive by default somehow. Is the reasoning
> behind domains that are permissive by default documented somewhere? A
> blog I should read or so? Can I find out what other domains are also
> permissive?
>
> (I haven't yet upgraded ntop to F12, so this particular AVC might be
> because I run an old version. This mail is a question about the
> concept of domains that are permissive from the start, not this AVC.)
Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development platform. Permissive domains put domain into permissive state. This usually done during development of modules so that i can be tested without end-users running a risk of losing functionality.
So, Yes in a production environment you probably would not see permissive domains but since Fedora is a development platform, policy is still tested in a permissive state.
In Enterprise Linux you should not see permissive domains.
It could also be that Fedora forgot to remove the permissive declaration from the module, but i doubt that.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091124/ff4346a6/attachment.sig>
More information about the fedora-selinux-list
mailing list