The story behind by default permissive domains

Dominick Grift domg472 at gmail.com
Tue Nov 24 18:18:57 UTC 2009 

On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote:
> After switching to F12 policy I've started getting SELinux alerts from
> setroubleshoot looking like this
> 
>     Summary:
> 
>     SELinux is preventing ntop (ntop_t) "create" ntop_t.
> 
>     Detailed Description:
> 
>     [ntop has a permissive type (ntop_t). This access was not denied.]
> 
> I thought permissive domains was meant as a debugging and development
> tool.  But I haven't (knowingly) made ntop_t permissive.  And the
> command suggested in the user guide, semodule -l | grep permissive,
> returns nothing.
> 
> So it seems ntop_t is permissive by default somehow.  Is the reasoning
> behind domains that are permissive by default documented somewhere?  A
> blog I should read or so?  Can I find out what other domains are also
> permissive?
> 
> (I haven't yet upgraded ntop to F12, so this particular AVC might be
> because I run an old version.  This mail is a question about the
> concept of domains that are permissive from the start, not this AVC.)

Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development platform. Permissive domains put domain into permissive state. This usually done during development of modules so that i can be tested without end-users running a risk of losing functionality.

So, Yes in a production environment you probably would not see permissive domains but since Fedora is a development platform, policy is still tested in a permissive state.
In Enterprise Linux you should not see permissive domains.

It could also be that Fedora forgot to remove the permissive declaration from the module, but i doubt that.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091124/ff4346a6/attachment.sig>

More information about the fedora-selinux-list mailing list