Re: how to implement permissive domains + an old bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Todd Miller <Tmiller@tresys.com>
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>,
	Joshua Brindle <jbrindle@tresys.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@redhat.com>, selinux <selinux@tycho.nsa.gov>,
	jmorris@namei.org, method@manicmethod.com,
	Karl MacMillan <kmacmillan@tresys.com>,
	setools <setools@tresys.com>,
	pmoore@hp.com
Subject: Re: how to implement permissive domains + an old bug
Date: Mon, 25 Feb 2008 17:13:24 -0500	[thread overview]
Message-ID: <47C33D84.8060909@redhat.com> (raw)
In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015880195C8D7@exchange.columbia.tresys.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Miller wrote:
> Christopher J. PeBenito wrote:
>> I don't like the magic attributes as permissive is a mechanism option.
>> It has no meaning in the policy, only in the enforcement.  I'd really
>> prefer some other option in selinuxfs or a proc/pid/attr, but since
>> that doesn't seem to be an option, I'd rather have a policy primitive.
> 
> To my mind the important thing to decide is whether permissive domains
> should be persistent in the policy or not.  If not, then an entry in
> selinuxfs would be appropriate.  If we do want it to be persistent,
> our options include making it a policy primitive, a magic type
> attribute, or an semanage option.  Of those, only the policy primitive
> requires changes to the policy parser.
> 
> I don't have a strong opinion on this myself, though my gut reaction is
> that persistence is a useful property.
> 
>  - todd
They have to be persistent, as I would figure on domains being run in
permissive mode for many months if the chance of the confined domain
going down would be costly.  Personally I would like to put out every
new confined domain in permissive mode for a few weeks until we get out
the bugs in policy. (qemu a couple of weeks ago.)  It would also be
helpful if an administrator could quickly turn a broken domain
permissive rather then putting the entire machine in permissive mode.

I could see the situation of temporarily turning the domain permissive
when the admin suspects SELinux is causing problems with an app, in
order to prove/disprove SELinux is the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfDPYMACgkQrlYvE4MpobMTJwCdFt5eOlgSJpLY7SvSom5764XX
8r4An0fzWB3477QCF3tfV/iA5w+0dpG5
=TVJo
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-02-25 22:13 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-15 17:50 how to implement permissive domains + an old bug Eric Paris
2008-02-15 18:14 ` Stephen Smalley
2008-02-15 18:35   ` Joshua Brindle
2008-02-15 18:57     ` Stephen Smalley
2008-02-15 19:43       ` Eric Paris
2008-02-15 19:54         ` Stephen Smalley
2008-02-15 20:16           ` Stephen Smalley
2008-02-15 20:17           ` Joshua Brindle
2008-02-25 13:51             ` Stephen Smalley
2008-02-25 14:01               ` Daniel J Walsh
2008-02-25 14:53                 ` Joshua Brindle
2008-02-25 19:48                   ` Stephen Smalley
2008-02-25 20:16                     ` Eric Paris
2008-02-25 20:40                     ` Joshua Brindle
2008-02-25 21:03                       ` Christopher J. PeBenito
2008-02-25 21:09                         ` Daniel J Walsh
2008-02-25 21:52                         ` Todd Miller
2008-02-25 22:13                           ` Daniel J Walsh [this message]
2008-02-25 21:08                       ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47C33D84.8060909@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=Tmiller@tresys.com \
    --cc=cpebenito@tresys.com \
    --cc=eparis@redhat.com \
    --cc=jbrindle@tresys.com \
    --cc=jmorris@namei.org \
    --cc=kmacmillan@tresys.com \
    --cc=method@manicmethod.com \
    --cc=pmoore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=setools@tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.