On Wed, Sep 21, 2022 at 12:11 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Wed, Sep 21, 2022 at 2:54 PM <jeffxu@xxxxxxxxxxxx> wrote: > > > > From: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > > > When SECURITY_SELINUX_DEVELOP=y and the system is running in permissive > > mode, it is useful to disable logging from permissive domain, so audit > > log does not get spamed. > > > > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > Signed-off-by: Luis Hector Chavez <lhchavez@xxxxxxxxxx> > > Tested-by: Luis Hector Chavez <lhchavez@xxxxxxxxxxxx> > > Tested-by: Jeff Xu<jeffxu@xxxxxxxxxxxx> > > --- > > security/selinux/Kconfig | 10 ++++++++++ > > security/selinux/avc.c | 9 +++++++++ > > 2 files changed, 19 insertions(+) > > I'm sorry, but I can't accept this into the upstream kernel. > Permissive mode, both per-domain and system-wide, is not intended to > be a long term solution. Permissive mode should really only be used > as a development tool or emergency "hotfix" with the proper solution > being either an adjustment of the existing policy (SELinux policy > booleans, labeling changes, etc.) or the development of a new policy > module which better fits your use case. > Thanks for the response. For a system that wants to control a few daemons, is there a recommended pattern from selinux ? I read this blog about unconfined domain (unconfined_t), maybe this is one way ? https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes I have two questions on unconfined domain: 1> Is unconfined_t domain supported in SECURITY_SELINUX_DEVELOP=n mode ? 2> will unconfined_t domain log also as permissive domain ? Thanks Jeff > -- > paul-moore.com
