unconfined domain equals permissive?
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 11 12:21:54 UTC 2009
On 09/11/2009 12:42 AM, KaiGai Kohei wrote:
> Dan,
>
> I could find the following policy at the recent rawhide policy.
> (such as selinux-policy-3.6.31-2.fc12.src.rpm).
>
> --------------------
> interface(`unconfined_domain',`
> gen_require(`
> attribute unconfined_services;
> ')
>
> # unconfined_domain_noaudit($1)
> permissive $1;
>
> tunable_policy(`allow_execheap',`
> auditallow $1 self:process execheap;
> ')
> ')
> --------------------
>
> Is it a workaround fix? Or, do you have a plan to change the definition
> of unconfined domains at the F-12/rawhide?
>
> The permissive domains are also allowed to bypass MLS/MCS rules, not only
> TE rules, so it seems to me its impact is a bit unignorable, if it is not
> a workaround.
>
> Thanks,
No this is temporary to help me find bugs in policy. I am encouraging people to remove the unconfined.pp policy package which takes away the unconfined_domain. So I am just gathering avc's until we release Beta1. I will probably change it back in about a week.
More information about the fedora-selinux-list
mailing list