On 01/05/2010 09:03 AM, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined all the > transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking the > logs to generate the entire set of policy's allow rules ) and ( generating > the allow rules one by one after updating the policy again and again in the > enforcing mode ).i find it easier to generate the entire set of allow rules > switching to permissive mode.is there any chance that i may miss a rule if i > switch to permissive mode and generate the rules from the logs or say i give > extra permissions ? > > > which is the preffered method?. > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you are using F11/F12 you can setup a permissive domains permissive myapp_t; This will allow you to run the machine in enforcing, but your new domain in permissive mode. We almost always develop policy in permissive mode, but you have to be aware that sometimes you can deny something and cause an application to go down a different code path. For example, apps that use the pam stack attempt to read shadow_t, if you dontaudit this, the app will execute a helper application to read the shadow file. This is considered more secure. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
