Jeremy Katz wrote:
On Thu, 2004-04-08 at 03:46 -0300, Alexandre Oliva wrote:
On Apr 7, 2004, Matias Feliciano <feliciano.matias@xxxxxxx> wrote:
Le mar 06/04/2004 à 20:59, Jesse Keating a écrit :How would you feel about permissive mode instead of disabled as the
[...]+1
The option for SELinux should continue to be exposed during the install (and kickstarts), but default to off.
default?
One problem with this is that if you're running in permissive mode, then domain transitions which were expected to occur may not (because you would have been denied to do something first if you were running in enforcing mode). This makes switching from permissive to enforcing an operation that requires the (imho) broken relabeling of your entire fs.
So I'm not convinced that permissive by default actually buys us anything.
Jeremy
There are also several applications that will exit out if one of the set context calls fails. They don't currently check
security_getenforce(). Vixie Cron for example, Although I am fixing it now.
Dan
