generating rules in permissive mode?
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 5 14:37:04 UTC 2010
On 01/05/2010 09:03 AM, sai ganesh wrote:
> hi,
> i have a query
> if i want to start a completely custom made service .i have defined all the
> transitions and types.now i need only the allow rules.
> what is the difference between (going to permissive mode and checking the
> logs to generate the entire set of policy's allow rules ) and ( generating
> the allow rules one by one after updating the policy again and again in the
> enforcing mode ).i find it easier to generate the entire set of allow rules
> switching to permissive mode.is there any chance that i may miss a rule if i
> switch to permissive mode and generate the rules from the logs or say i give
> extra permissions ?
>
>
> which is the preffered method?.
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If you are using F11/F12 you can setup a permissive domains
permissive myapp_t;
This will allow you to run the machine in enforcing, but your new domain in permissive mode.
We almost always develop policy in permissive mode, but you have to be aware that sometimes you can deny something
and cause an application to go down a different code path. For example, apps that use the pam stack attempt to read shadow_t, if you dontaudit this, the app will execute a helper application to read the shadow file. This is considered more secure.
More information about the selinux
mailing list