On 01/05/2010 03:03 PM, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined all the > transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking the > logs to generate the entire set of policy's allow rules ) and ( generating > the allow rules one by one after updating the policy again and again in the > enforcing mode ).i find it easier to generate the entire set of allow rules > switching to permissive mode.is there any chance that i may miss a rule if i > switch to permissive mode and generate the rules from the logs or say i give > extra permissions ? > > > which is the preffered method?. > Well it is not black or white in my opinion. Both have drawbacks. You cannot without testing know whether you defined all transitions. Atleast not transitions to external domains. If you test in permissive mode you must be very careful with what you add especially when your domain executes external executable files. Questions like should i domain transition or run in the local domain are important. Implementing a domain transition will change the whole scenario. So if you test in permissive, than during the first run, check for execute_no_trans in your AVC denials. Then decide whether it is best to transition or execute_no_trans there. If you decide to transition then basically your current batch of AVC denials becomes useless. You would only add the domain transition policy to you module, rebuild, reinstall and retest again. Testing in enforcing mode is a pain. On newer systems you can also use "Permissive domains". When you use this you can run single domain types permissive as opposed to the whole system. This is a nice feature and i consider this my favorite. You will still have to be aware of implementing possible domain transitions before anything else to avoid adding more policy than strictly required. Another thing you should keep in mind when using "Permissive domains" is that although the local domain is permissive; external domains interacting with the local domain are strictly enforced. Thus, Although your local domain type is permissive, it can still fail to run. Simply because some external domain is denied interaction with objects owned by the local domain or domain types owned by the local domain. So in a nut shell: Permissive domains: pros: saves time cons: external domain interacting with local permissive domain are still denied on each system call they make. cons: make sure you domain transition first (if required) before adding other policy Permissive mode: pros: saves even more time cons: system is unprotected. cons: make sure you domain transition first (if required) before adding other policy hth > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list