generating rules in permissive mode?

[Stephen Smalley]

On Tue, 2010-01-05 at 19:33 +0530, sai ganesh wrote:
> hi,
>    i have a query 
> if i want to start a completely custom made service .i have defined
> all the transitions and types.now i need only the allow rules.
> what is the difference between (going to permissive mode and checking
> the logs to generate the entire set of policy's allow rules ) and
> ( generating the allow  rules one by one after updating the policy
> again and again in the enforcing mode ).i find it easier to generate
> the entire set of allow rules switching to permissive mode.is there
> any chance that i may miss a rule if i switch to permissive mode and
> generate the rules from the logs or say i give extra permissions ?
> 
> 
> which is the preffered method?.

One other item to keep in mind about permissive mode:  When in
permissive mode, SELinux only logs the first instance of a given
permission denial, i.e. once per (process security context, object
security context, object security class, permission) tuple and then
SELinux silences further denials on that same permission by granting the
permission until the administrator switches to enforcing mode or reloads
the policy.  This is to avoid flooding syslogd or auditd with repeated
denials on the same permission, and to avoid unnecessary duplication in
the logs as the duplicates would yield the same allow rule regardless.
It can however mask denials on different subjects/objects that happen to
be in the same security context.

See:
http://marc.info/?t=122953404700001&r=1&w=2

-- 
Stephen Smalley
National Security Agency