fedup and selinux

Rick Stevens ricks at alldigital.com
Tue Dec 24 18:52:25 UTC 2013


On 12/24/2013 10:27 AM, Marko Vojinovic issued this missive:
> On Tue, 24 Dec 2013 09:48:38 -0800
> Rick Stevens <ricks at alldigital.com> wrote:
>> I've said this before and I'll say it again...permissive mode does NOT
>> allow ALL access (permissive != disabled, despite what others may
>> say). If you see selinux deny messages, it's still being denied. I've
>> seen this bite people a number of times.
>
> Care to give a F18/19/20-working example of this?
>
> IOW, provide a sequence of steps on a clean Fedora install that works
> with selinux disabled, while it fails with selinux in permissive mode?

I don't have examples at hand, but I have seen FTP-related stuff, some
upgrades and some other network-related things fail when SELinux is in
permissive mode and work just fine when it's disabled. I never bothered
tracking specifically what they are--it's just when they poop out, I've
disabled SELinux, redone it and it's worked fine. I have then put it
back in permissive mode, looked at the denial messages and put in local
rules to cover them and gone to "targeted" mode.

Permissive does allow most actions, but there are some things it still
denies. I guess "permissive" should be taken literally, like "we're
relaxing most of the rules, but there are some we are going to enforce
as long as we're in charge."

As I said, I don't have examples but the OP on this thread ran into the
same thing I've hit in the past. He went from permissive to disabled and
it worked. I'm just saying that permissive is not the same thing as
disabled.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-         Microsoft Windows:  Proof that P.T. Barnum was right       -
----------------------------------------------------------------------


More information about the users mailing list