unconfined domain equals permissive?
KaiGai Kohei
kaigai at ak.jp.nec.com
Fri Sep 11 04:42:35 UTC 2009
Dan,
I could find the following policy at the recent rawhide policy.
(such as selinux-policy-3.6.31-2.fc12.src.rpm).
--------------------
interface(`unconfined_domain',`
gen_require(`
attribute unconfined_services;
')
# unconfined_domain_noaudit($1)
permissive $1;
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
')
--------------------
Is it a workaround fix? Or, do you have a plan to change the definition
of unconfined domains at the F-12/rawhide?
The permissive domains are also allowed to bypass MLS/MCS rules, not only
TE rules, so it seems to me its impact is a bit unignorable, if it is not
a workaround.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>
More information about the fedora-selinux-list
mailing list