On 01/05/2010 09:03 AM, sai ganesh wrote:
hi,
i have a query
if i want to start a completely custom made service .i have defined all the
transitions and types.now i need only the allow rules.
what is the difference between (going to permissive mode and checking the
logs to generate the entire set of policy's allow rules ) and ( generating
the allow rules one by one after updating the policy again and again in the
enforcing mode ).i find it easier to generate the entire set of allow rules
switching to permissive mode.is there any chance that i may miss a rule if i
switch to permissive mode and generate the rules from the logs or say i give
extra permissions ?
which is the preffered method?.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you are using
F11/F12 you can setup a permissive domains
permissive myapp_t;
This will allow you to run the machine in enforcing, but your new domain in permissive
mode.
We almost always develop policy in permissive mode, but you have to be aware that
sometimes you can deny something
and cause an application to go down a different code path. For example, apps that use the
pam stack attempt to read shadow_t, if you dontaudit this, the app will execute a helper
application to read the shadow file. This is considered more secure.