On Tue, Nov 24, 2009 at 06:23:17PM +0100, Göran Uddeborg wrote: > After switching to F12 policy I've started getting SELinux alerts from > setroubleshoot looking like this > > Summary: > > SELinux is preventing ntop (ntop_t) "create" ntop_t. > > Detailed Description: > > [ntop has a permissive type (ntop_t). This access was not denied.] > > I thought permissive domains was meant as a debugging and development > tool. But I haven't (knowingly) made ntop_t permissive. And the > command suggested in the user guide, semodule -l | grep permissive, > returns nothing. > > So it seems ntop_t is permissive by default somehow. Is the reasoning > behind domains that are permissive by default documented somewhere? A > blog I should read or so? Can I find out what other domains are also > permissive? > > (I haven't yet upgraded ntop to F12, so this particular AVC might be > because I run an old version. This mail is a question about the > concept of domains that are permissive from the start, not this AVC.) Well i am not sure what Fedoras' policy is on this, but to me, Fedora is a development platform. Permissive domains put domain into permissive state. This usually done during development of modules so that i can be tested without end-users running a risk of losing functionality. So, Yes in a production environment you probably would not see permissive domains but since Fedora is a development platform, policy is still tested in a permissive state. In Enterprise Linux you should not see permissive domains. It could also be that Fedora forgot to remove the permissive declaration from the module, but i doubt that. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpibw4bB2vwI.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
