unconfined domain equals permissive?
Jon Mineiko
jm at row44.com
Fri Sep 11 15:09:18 UTC 2009
Can someone call me at 630-519-3323. I'm having a issue with syslog-ng
permissions too. There doesn't seem to be a policy for me to enable in
selinux. So I need help creating one. I found some documentation
online that suggests there should be.
On Sep 11, 2009, at 7:21 AM, Daniel J Walsh wrote:
> On 09/11/2009 12:42 AM, KaiGai Kohei wrote:
>> Dan,
>>
>> I could find the following policy at the recent rawhide policy.
>> (such as selinux-policy-3.6.31-2.fc12.src.rpm).
>>
>> --------------------
>> interface(`unconfined_domain',`
>> gen_require(`
>> attribute unconfined_services;
>> ')
>>
>> # unconfined_domain_noaudit($1)
>> permissive $1;
>>
>> tunable_policy(`allow_execheap',`
>> auditallow $1 self:process execheap;
>> ')
>> ')
>> --------------------
>>
>> Is it a workaround fix? Or, do you have a plan to change the
>> definition
>> of unconfined domains at the F-12/rawhide?
>>
>> The permissive domains are also allowed to bypass MLS/MCS rules,
>> not only
>> TE rules, so it seems to me its impact is a bit unignorable, if it
>> is not
>> a workaround.
>>
>> Thanks,
> No this is temporary to help me find bugs in policy. I am
> encouraging people to remove the unconfined.pp policy package which
> takes away the unconfined_domain. So I am just gathering avc's
> until we release Beta1. I will probably change it back in about a
> week.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Jon Mineiko
Row44 Inc.
jm at row44.com
desk 630-519-3323
cell 708-321-0211
gtalk jm7000 at gmail.com
------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 9.9.1.287
mQENBEpLh1kBCADYsBo2yI2wpyuX/cXObnjMIv8OL1ea21ObpOHe9x2/LL1EYp7K
+mlFhV4HntZ5bBpu7zX/fk4eF5ZCYubmrJwHn7M61hqLeo7SYnqlNQfqiQcw3+Xp
fLKVfxQxxMMoSE3Wv4NRw267F1c4wcO1M7NgraFgem4OJWZDjwA3r4FkR4n6u9ia
VxgVjugNniavUPI7TV4m+48K3kiqax8VZfaOxL31HMB6vaFjNYfI6xwM3mvkT/MT
G3btkE6PfUvVW1tW32REHk4JT5GnM4Tf2YEmnVTWVvwXbtORIb84+ozqw3MWwb0g
0mUwOSHWtK7Ao3OlpMMnam+Q15s+NAK205nDABEBAAG0HUpPTiBNSU5FSUtPIDxq
bUBkYXRhdGVsZS5jb20+iQGHBBABAgBxBQJKS43OMBSAAAAAACAAB3ByZWZlcnJl
ZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQcLCQgHAwIKAhkBGRhsZGFw
Oi8va2V5c2VydmVyLnBncC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoACgkQ/AVQ
TqDllmu+fwgAsN2QYlyKkhtPlHuhvTA7+Zso5oWms0/ipij0wfj0oLrrifz2Ku6u
vauSat8H8BX1mVDRA7uT2cI/7umaQ8QGJWouTWokwAOgDGNdyLRpDI6ssI0i8MU9
Hv2+zKABtR7cdVsmgS3juTuyvAqxPrJ38AZEOxwY00dwwzPFlXFG8ybQ8rVzP1bD
jnk+ol6Di53v6vpJ44iJqt83LW0dYrhwQWtgbt/p+vT6XdK9S6z2HJy+Wuvdh88f
tBtxJ5p19gzSFZ71h4bOybbe4dXqZI+0U2RoMO2zYjV1zDugvpLQXCxqvYUSYwkR
m4JLG2YPnBTC7DYDR8Z8q4z55n/k2W8gCrQeSk9OIE1JTkVJS08gPGptNzAwMEBn
bWFpbC5jb20+iQGEBBABAgBuBQJKS43OMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFp
bC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQcLCQgHAwIKGRhsZGFwOi8va2V5c2Vy
dmVyLnBncC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoACgkQ/AVQTqDllmsfZwgA
jpbpL5oI6TP7KC/ZmhwjWX+l6mtFVsD35l6tR/0K/Dpo1Xc2wbsPzuwkl0/3EdB8
m40L5nOt4qSWXE4nCT+18jhmvaV8fDSm6k13/iz3M7gnLySzEyF9VMpxhpIxiHzJ
gUhoOdj+RMsQQr3xxaobRN2PU9HeLJH+osFbQC3WrX0f+ha8speebe1zpNgoAzTZ
rmOpHmOlBXeaNq0WrTr1F0UOIx45tvoYe1TYXvZMgw2hTimiaVoeY4dvqma0dxFS
7NJNl0F+q8b0cIKtdSyFwzh2I0fJFatyNqZSjeUKaq9uz2WCIpYn0jTseFVsF3E8
1Rp9GTb0kddKJyvY8XSHELQaSk9OIE1JTkVJS08gPGptQHJvdzQ0LmNvbT6JAYQE
EAECAG4FAkpLjc4wFIAAAAAAIAAHcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBn
cC5jb21wZ3BtaW1lBwsJCAcDAgoZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUb
AwAAAAMWAgEFHgEAAAAEFQgJCgAKCRD8BVBOoOWWa0yyCACmfj2KcTB+YMEoiNhT
Xp4iXBVtxzppxmpercI3NFfx4rS+33Iy/4BPEYcdQqrr1xgVCXzv/BRmwwb41PPZ
6+tstMrS8APnqsW0RIxH3gYvXMu2k9oF9aNqc04vA7wJ4hnGtONyGDl2H3vGEm+Q
qhPY6cCaPk2085hQq6pNou9XWDfun0tYhh0BhFxLpbgLAWm9EdSH0WxjfevAKIDs
dixZutxscEnABmOoNkxBgOmCcewOKTvGhFdj+bVV/VelUSfyZryKiP44hzTntRKI
jEmHA6aCDMPxicoQZFsz+KqgjYWslSwOdtd0uPe4g8gfkVoFGA17NWuWVONIVrFK
H5ystCBKT04gTUlORUlLTyA8am1pbmVpa29Acm93NDQuY29tPokBhAQQAQIAbgUC
SkuNzjAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdwLmNvbXBn
cG1pbWUHCwkIBwMCChkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29tBRsDAAAAAxYC
AQUeAQAAAAQVCAkKAAoJEPwFUE6g5ZZrmpEIAItF2XKLitkRdySD+l4qMPiTiGLe
jLovMZV5zLi5zTYAdzlyE9s3fVNEH6/sDbj5NQM6AI3YU4t0+7p90I4TWUDFJfRb
W/Rak/vaYWsSJCbeqSn1Q5hht0ffIXmzvmS1VXraTQ2Z3mSol8j/e51DkUtcVdae
CxRpT0it5pOCkz6i4y96NM8ubD7wambmBCjr3lsX5vsev8LMDfgfBJFVs8KIUEyU
SuPbKb4YT3ZV2uhbVCyLr1UJsvRTGa5fFJ6RZW2MzFmnAme+wyVPwFrqZu41OR7t
QdmigZ3im24J61Ut35ak7FEhSN/1nCbHJisB7gb5oPr/sXXmMcha57wWN065AQ0E
SkuHWgEIAMrJn6/XdkOgQBq2Sxmmn56YTOvf6iXGK4DJEqL5SIPGi9Q/JnWkyxgp
I2YwDaZkuvMctM1MpzMy9XnEEfIIMgbdCsA0OF7lzMgpU6DKVcZeaDnjiEve84Be
GNysMxBsGfkmPF+QJKHjUkCsJtl2sawoLWFd4rTOYtdYtzDd1WXKSJNAdeWrlL1e
z1GY7xAqCfHJpW85dqJfC+1gg6BDYOGwyYGo0EimPcBhBI2MRq0bDhmDlp4TqW2p
2BcgbogM+CsUR4vstirdkZdgFaOm04rI+BHERnEEzKyARlFixbQtUabwxFhO7zYx
WqLwlydiAvanq1E4ekrBEIIUW0RYEtMAEQEAAYkCQQQYAQIBKwUCSkuHWwUbDAAA
AMBdIAQZAQgABgUCSkuHWgAKCRCbWL+CsfdQBrQJB/40dKjEWAuoGap5UlHMmA2B
HG8k+yC8qmmO9MGD/mCBegBJOkILyjA+7JijwenKPAHEL6nDa5OEk+/jDxAWdku3
yuRdz4MOnb8tS0qorBLju4tddr4KcP1GlLjZdBlaK78si5QQRrx8/9fsF3LhRRK1
XrJ6aALld0SQxVKXUWrz3/xxVAPk0YyvV/U+Mh7Zwjf3R9mLp9XtFMmuokvWKNAD
VAaS5BRFtqRcQjN7tcrVwafRsqpQiP+pp1m8hKg4OoYQHKDKNUzSlVCpoh9Gy7Nx
9jXpwHl1P/niKGt5KChat5q0t8quQbnKJwj/XAi08PxafnZTN8hn+Rbd2Wc/R4E9
AAoJEPwFUE6g5ZZrueIH/R+U/XVhxaa0bQ+SMd8xrw78ejquzyak2dHfHqgSEv1T
5ormbkLVNNzlYhhhn7JwL7eEU5wKdBW2AFmm6sF5TvkydnFDRHWz8NTSXeY59ua1
7xlulHIAAwJN78Bt1z1l+SXX4x6Z6X6CbFC00/LXoHqSCUixyak6L6jkmb2P5hvl
z8pupWmnOarliIBN1FId06JSMs8TiqaGRIlDs4EAuW4zIRZke0zJBGP/P1OIEJcT
77s0QPqDVpvEK+yX7NUr/kAc3TUNj88Oov5s/eP5EPmiINctin8ISn43i8x/mPRl
GDDXUTsabwhPNYCNk3PsPvfs79Akl0Bs9yCslDayj5E=
=PDPT
-----END PGP PUBLIC KEY BLOCK-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090911/7452dcfd/attachment.htm>
More information about the fedora-selinux-list
mailing list