On 09/11/2009 12:42 AM, KaiGai Kohei wrote: > Dan, > > I could find the following policy at the recent rawhide policy. > (such as selinux-policy-3.6.31-2.fc12.src.rpm). > > -------------------- > interface(`unconfined_domain',` > gen_require(` > attribute unconfined_services; > ') > > # unconfined_domain_noaudit($1) > permissive $1; > > tunable_policy(`allow_execheap',` > auditallow $1 self:process execheap; > ') > ') > -------------------- > > Is it a workaround fix? Or, do you have a plan to change the definition > of unconfined domains at the F-12/rawhide? > > The permissive domains are also allowed to bypass MLS/MCS rules, not only > TE rules, so it seems to me its impact is a bit unignorable, if it is not > a workaround. > > Thanks, No this is temporary to help me find bugs in policy. I am encouraging people to remove the unconfined.pp policy package which takes away the unconfined_domain. So I am just gathering avc's until we release Beta1. I will probably change it back in about a week. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
