From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: concept of a permissive domain From: Brett Lentz To: Daniel J Walsh Cc: Stefan Schulze Frielinghaus , Chad Sellers , Karl MacMillan , Stephen Smalley , Eric Paris , selinux@tycho.nsa.gov In-Reply-To: <47135FCE.5000403@redhat.com> References: <4710CA44.1040300@redhat.com> <1192356878.3376.3.camel@vogon> <47135FCE.5000403@redhat.com> Content-Type: text/plain Date: Mon, 15 Oct 2007 09:52:57 -0700 Message-Id: <1192467177.28762.7.camel@blentz> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Mon, 2007-10-15 at 08:40 -0400, Daniel J Walsh wrote: > >> - From the user point of view we could change the setenforce command > >> > >> setenforce 0 > >> setenforce httpd_t 0 > >> > >> getenforce 0 > >> getenforce httpd_t 0 > >> > >> Then we could replace both to do something in semanage to rebuild and > >> reload policy. > > > > But that would mean e.g. consider apache that you would have to > > setenforce for every domain type? > > > > apache_t > > apache_helper_t > > apache_php_t > > httpd_rotatelogs_t > > httpd_suexec_t > > ... > > > > There wouldn't be a setenforce for a whole module, right? > > > > Stefan > > > Yes although it is doubtful you would have all of those running at the > same time. (httpd_t and httpd_helper_t). > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHE1/NrlYvE4MpobMRAuiiAKDgSEfnJHsFI9R1nmvvPx6PrhuQ9QCeIQHh > p4+2X7ixDbvoxSyMjrReLCE= > =6X1D > -----END PGP SIGNATURE----- As an SELinux user, it makes the most sense to me for this capability to be accessible on a per-module basis rather than per-domain. I would much rather set the httpd module as a whole to permissive rather than fiddle around trying to A) set all of httpd's domains to permissive and B) requiring a fairly significant amount of knowledge of the security policy to know which domains may require this intervention. I think that per-domain permissive is probably useful for certain kinds of policy development, but per-module permissive would be significantly more useful for the work that I'm currently doing with SELinux. _______________________________ Brett Lentz | CarDomain Network System Administrator blentz@cardomain.com | tel 206.926.2109 | cell 206.851.6669 http://www.cardomain.com/id/wakko666 One organism, one vote. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.