On Tue, 2010-01-05 at 19:33 +0530, sai ganesh wrote:
hi,
i have a query
if i want to start a completely custom made service .i have defined
all the transitions and types.now i need only the allow rules.
what is the difference between (going to permissive mode and checking
the logs to generate the entire set of policy's allow rules ) and
( generating the allow rules one by one after updating the policy
again and again in the enforcing mode ).i find it easier to generate
the entire set of allow rules switching to permissive mode.is there
any chance that i may miss a rule if i switch to permissive mode and
generate the rules from the logs or say i give extra permissions ?
which is the preffered method?.
One other item to keep in mind about permissive mode: When in
permissive mode, SELinux only logs the first instance of a given
permission denial, i.e. once per (process security context, object
security context, object security class, permission) tuple and then
SELinux silences further denials on that same permission by granting the
permission until the administrator switches to enforcing mode or reloads
the policy. This is to avoid flooding syslogd or auditd with repeated
denials on the same permission, and to avoid unnecessary duplication in
the logs as the duplicates would yield the same allow rule regardless.
It can however mask denials on different subjects/objects that happen to
be in the same security context.
See:
http://marc.info/?t=122953404700001&r=1&w=2
--
Stephen Smalley
National Security Agency