After switching to F12 policy I've started getting SELinux alerts from setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development tool. But I haven't (knowingly) made ntop_t permissive. And the command suggested in the user guide, semodule -l | grep permissive, returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning behind domains that are permissive by default documented somewhere? A blog I should read or so? Can I find out what other domains are also permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be because I run an old version. This mail is a question about the concept of domains that are permissive from the start, not this AVC.)
On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote:
After switching to F12 policy I've started getting SELinux alerts from setroubleshoot looking like this
Summary: SELinux is preventing ntop (ntop_t) "create" ntop_t. Detailed Description: [ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development tool. But I haven't (knowingly) made ntop_t permissive. And the command suggested in the user guide, semodule -l | grep permissive, returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning behind domains that are permissive by default documented somewhere? A blog I should read or so? Can I find out what other domains are also permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be because I run an old version. This mail is a question about the concept of domains that are permissive from the start, not this AVC.)
Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development platform. Permissive domains put domain into permissive state. This usually done during development of modules so that i can be tested without end-users running a risk of losing functionality.
So, Yes in a production environment you probably would not see permissive domains but since Fedora is a development platform, policy is still tested in a permissive state. In Enterprise Linux you should not see permissive domains.
It could also be that Fedora forgot to remove the permissive declaration from the module, but i doubt that.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 11/24/2009 12:23 PM, Göran Uddeborg wrote:
After switching to F12 policy I've started getting SELinux alerts from setroubleshoot looking like this
Summary: SELinux is preventing ntop (ntop_t) "create" ntop_t. Detailed Description: [ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development tool. But I haven't (knowingly) made ntop_t permissive. And the command suggested in the user guide, semodule -l | grep permissive, returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning behind domains that are permissive by default documented somewhere? A blog I should read or so? Can I find out what other domains are also permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be because I run an old version. This mail is a question about the concept of domains that are permissive from the start, not this AVC.)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Our thoughts on permissive domains was when we introduce a new domain during a release, we will run it permissive until the end of a release. ntop was added to F12, it is permissive until F13, In F13 it will be enforcing. This allows us to get all of the AVC messages for ntop without blowing it up in the real world. I don't remember if I blogged on this idea, or not.
Daniel J Walsh:
Our thoughts on permissive domains was when we introduce a new domain during a release, we will run it permissive until the end of a release.
Makes sense. So then I'll report issues like these as usual when I find them. (After having upgraded to the F12 version of applications, of course.)
On 11/24/2009 03:56 PM, Göran Uddeborg wrote:
Daniel J Walsh:
Our thoughts on permissive domains was when we introduce a new domain during a release, we will run it permissive until the end of a release.
Makes sense. So then I'll report issues like these as usual when I find them. (After having upgraded to the F12 version of applications, of course.)
Yes that is the goal to gather as many AVC messages as possible to make it feasible to remove permissive in F13.
selinux@lists.fedoraproject.org