The story behind by default permissive domains
Göran Uddeborg
goeran at uddeborg.se
Tue Nov 24 17:23:17 UTC 2009
After switching to F12 policy I've started getting SELinux alerts from
setroubleshoot looking like this
Summary:
SELinux is preventing ntop (ntop_t) "create" ntop_t.
Detailed Description:
[ntop has a permissive type (ntop_t). This access was not denied.]
I thought permissive domains was meant as a debugging and development
tool. But I haven't (knowingly) made ntop_t permissive. And the
command suggested in the user guide, semodule -l | grep permissive,
returns nothing.
So it seems ntop_t is permissive by default somehow. Is the reasoning
behind domains that are permissive by default documented somewhere? A
blog I should read or so? Can I find out what other domains are also
permissive?
(I haven't yet upgraded ntop to F12, so this particular AVC might be
because I run an old version. This mail is a question about the
concept of domains that are permissive from the start, not this AVC.)
More information about the selinux
mailing list