generating rules in permissive mode?
Dominick Grift
domg472 at gmail.com
Tue Jan 5 14:49:05 UTC 2010
On 01/05/2010 03:03 PM, sai ganesh wrote:
> hi,
> i have a query
> if i want to start a completely custom made service .i have defined all the
> transitions and types.now i need only the allow rules.
> what is the difference between (going to permissive mode and checking the
> logs to generate the entire set of policy's allow rules ) and ( generating
> the allow rules one by one after updating the policy again and again in the
> enforcing mode ).i find it easier to generate the entire set of allow rules
> switching to permissive mode.is there any chance that i may miss a rule if i
> switch to permissive mode and generate the rules from the logs or say i give
> extra permissions ?
>
>
> which is the preffered method?.
>
Well it is not black or white in my opinion. Both have drawbacks.
You cannot without testing know whether you defined all transitions.
Atleast not transitions to external domains.
If you test in permissive mode you must be very careful with what you
add especially when your domain executes external executable files.
Questions like should i domain transition or run in the local domain are
important. Implementing a domain transition will change the whole scenario.
So if you test in permissive, than during the first run, check for
execute_no_trans in your AVC denials. Then decide whether it is best to
transition or execute_no_trans there.
If you decide to transition then basically your current batch of AVC
denials becomes useless. You would only add the domain transition policy
to you module, rebuild, reinstall and retest again.
Testing in enforcing mode is a pain.
On newer systems you can also use "Permissive domains". When you use
this you can run single domain types permissive as opposed to the whole
system. This is a nice feature and i consider this my favorite.
You will still have to be aware of implementing possible domain
transitions before anything else to avoid adding more policy than
strictly required.
Another thing you should keep in mind when using "Permissive domains" is
that although the local domain is permissive; external domains
interacting with the local domain are strictly enforced.
Thus, Although your local domain type is permissive, it can still fail
to run. Simply because some external domain is denied interaction with
objects owned by the local domain or domain types owned by the local domain.
So in a nut shell:
Permissive domains:
pros: saves time
cons: external domain interacting with local permissive domain are still
denied on each system call they make.
cons: make sure you domain transition first (if required) before adding
other policy
Permissive mode:
pros: saves even more time
cons: system is unprotected.
cons: make sure you domain transition first (if required) before adding
other policy
hth
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20100105/3f7daec5/attachment.sig>
More information about the fedora-selinux-list
mailing list