11:23 a.m.
After switching to F12 policy I've started getting SELinux alerts from
setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development
tool. But I haven't (knowingly) made ntop_t permissive. And the
command suggested in the user guide, semodule -l | grep permissive,
returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning
behind domains that are permissive by default documented somewhere? A
blog I should read or so? Can I find out what other domains are also
permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be
because I run an old version. This mail is a question about the
concept of domains that are permissive from the start, not this AVC.)
12:18 p.m.
On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote:
After switching to F12 policy I've started getting SELinux alerts
from
setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development
tool. But I haven't (knowingly) made ntop_t permissive. And the
command suggested in the user guide, semodule -l | grep permissive,
returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning
behind domains that are permissive by default documented somewhere? A
blog I should read or so? Can I find out what other domains are also
permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be
because I run an old version. This mail is a question about the
concept of domains that are permissive from the start, not this AVC.)
Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development
platform. Permissive domains put domain into permissive state. This usually done during
development of modules so that i can be tested without end-users running a risk of losing
functionality.
So, Yes in a production environment you probably would not see permissive domains but
since Fedora is a development platform, policy is still tested in a permissive state.
In Enterprise Linux you should not see permissive domains.
It could also be that Fedora forgot to remove the permissive declaration from the module,
but i doubt that.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
2:17 p.m.
On 11/24/2009 12:23 PM, Göran Uddeborg wrote:
After switching to F12 policy I've started getting SELinux alerts
from
setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development
tool. But I haven't (knowingly) made ntop_t permissive. And the
command suggested in the user guide, semodule -l | grep permissive,
returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning
behind domains that are permissive by default documented somewhere? A
blog I should read or so? Can I find out what other domains are also
permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be
because I run an old version. This mail is a question about the
concept of domains that are permissive from the start, not this AVC.)
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Our thoughts on permissive domains was when we introduce a new domain during a
release, we will run it permissive until the end of a release. ntop was added to F12, it
is permissive until F13, In F13 it will be enforcing. This allows us to get all of the
AVC messages for ntop without blowing it up in the real world. I don't remember if I
blogged on this idea, or not.
2:56 p.m.
Daniel J Walsh:
Our thoughts on permissive domains was when we introduce a new
domain during a release, we will run it permissive until the end of
a release.
Makes sense. So then I'll report issues like these as usual when I
find them. (After having upgraded to the F12 version of applications,
of course.)
4:51 p.m.
On 11/24/2009 03:56 PM, Göran Uddeborg wrote:
Daniel J Walsh:
> Our thoughts on permissive domains was when we introduce a new
> domain during a release, we will run it permissive until the end of
> a release.
Makes sense. So then I'll report issues like these as usual when I
find them. (After having upgraded to the F12 version of applications,
of course.)
Yes that is the goal to gather as many AVC messages as possible to make
it feasible to remove permissive in F13.
5267
days inactive
5267
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Daniel J Walsh -
Dominick Grift -
Göran Uddeborg