On Tue, 2010-01-05 at 19:33 +0530, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined > all the transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking > the logs to generate the entire set of policy's allow rules ) and > ( generating the allow rules one by one after updating the policy > again and again in the enforcing mode ).i find it easier to generate > the entire set of allow rules switching to permissive mode.is there > any chance that i may miss a rule if i switch to permissive mode and > generate the rules from the logs or say i give extra permissions ? > > > which is the preffered method?. One other item to keep in mind about permissive mode: When in permissive mode, SELinux only logs the first instance of a given permission denial, i.e. once per (process security context, object security context, object security class, permission) tuple and then SELinux silences further denials on that same permission by granting the permission until the administrator switches to enforcing mode or reloads the policy. This is to avoid flooding syslogd or auditd with repeated denials on the same permission, and to avoid unnecessary duplication in the logs as the duplicates would yield the same allow rule regardless. It can however mask denials on different subjects/objects that happen to be in the same security context. See: http://marc.info/?t=122953404700001&r=1&w=2 -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
