Re: SELinux permissive domains in non-Fedora tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/05/2009 08:51 AM, Stephen Smalley wrote:

On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote:

I was much cheered last year to see Dan's permissive domains feature
make it into the Fedora Policy, as per his livejournal article:

    http://danwalsh.livejournal.com/24537.html

I had rather rashly hoped that this would make it into the main RedHat
tree quite quickly as it seems so very useful for testing new applications.

Sadly, it doesn't appear to exist in one of my CentOS5.3 instances
running these versions - at least "semanage --help" suggests that it's
not there, and I'm assuming
that CentOS5.3 is near enough in policy version to RHEL5 to show that
RHEL5 lacks the feature:

$ rpm -q policycoreutils selinux-policy-targeted kernel
policycoreutils-1.33.12-14.2.el5
selinux-policy-targeted-2.4.6-203.el5
kernel-2.6.18-92.el5
kernel-2.6.18-128.1.10.el5

but of course it does exist in my F10 instance running these:

$ rpm -q policycoreutils selinux-policy-targeted kernel
policycoreutils-2.0.57-14.fc10.i386
selinux-policy-targeted-3.5.13-38.fc10.noarch
kernel-2.6.27.9-159.fc10.i686


Is there a timescale for adding this feature to RHEL5, or will it have
to wait until RHEL6? Is there some sort of workaround to run the F10 policy
on a CentOS5 box to get the feature, or does that simply involve so many
version changes to umpteen other packages as to be a fruitless exercise?


I can't speak to your question about when or whether it would be
backported to RHEL5, but it would require back porting the patches to
the kernel, libsepol, checkpolicy, and policycoreutils (semanage).  And
due to the incremental nature of the binary policy format versions, they
would also have to back port the policy capabilities patches.  It would
certainly be a nice feature to have in RHEL5.
Well backporting major features to RHEL5 is frowned upon from a risk factor. So I do not see this feature being back ported. We will be releaseing semodule -DB in RHEL5.4 though. 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux