On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote:
After switching to F12 policy I've started getting SELinux alerts
from
setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development
tool. But I haven't (knowingly) made ntop_t permissive. And the
command suggested in the user guide, semodule -l | grep permissive,
returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning
behind domains that are permissive by default documented somewhere? A
blog I should read or so? Can I find out what other domains are also
permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be
because I run an old version. This mail is a question about the
concept of domains that are permissive from the start, not this AVC.)
Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development
platform. Permissive domains put domain into permissive state. This usually done during
development of modules so that i can be tested without end-users running a risk of losing
functionality.
So, Yes in a production environment you probably would not see permissive domains but
since Fedora is a development platform, policy is still tested in a permissive state.
In Enterprise Linux you should not see permissive domains.
It could also be that Fedora forgot to remove the permissive declaration from the module,
but i doubt that.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list