unconfined domain equals permissive?

KaiGai Kohei kaigai at ak.jp.nec.com
Fri Sep 11 04:42:35 UTC 2009


Dan,

I could find the following policy at the recent rawhide policy.
(such as selinux-policy-3.6.31-2.fc12.src.rpm).

--------------------
interface(`unconfined_domain',`
        gen_require(`
                attribute unconfined_services;
        ')

        #               unconfined_domain_noaudit($1)
        permissive $1;

        tunable_policy(`allow_execheap',`
                auditallow $1 self:process execheap;
        ')
')
--------------------

Is it a workaround fix? Or, do you have a plan to change the definition
of unconfined domains at the F-12/rawhide?

The permissive domains are also allowed to bypass MLS/MCS rules, not only
TE rules, so it seems to me its impact is a bit unignorable, if it is not
a workaround.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>




More information about the selinux mailing list