unconfined domain equals permissive?

KaiGai Kohei kaigai at ak.jp.nec.com
Fri Sep 11 04:42:35 UTC 2009


I could find the following policy at the recent rawhide policy.
(such as selinux-policy-3.6.31-2.fc12.src.rpm).

                attribute unconfined_services;

        #               unconfined_domain_noaudit($1)
        permissive $1;

                auditallow $1 self:process execheap;

Is it a workaround fix? Or, do you have a plan to change the definition
of unconfined domains at the F-12/rawhide?

The permissive domains are also allowed to bypass MLS/MCS rules, not only
TE rules, so it seems to me its impact is a bit unignorable, if it is not
a workaround.

OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>

More information about the selinux mailing list