Difference between revisions of "PermissiveDomainRecipe"

From SELinux Wiki
Jump to: navigation, search
(New page: Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one ...)
 
Line 1: Line 1:
 
Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced.  However, this is problematic if only one application or service is being deployed to a system that is already up and running in production.  Running in permissive mode is effectively disabling SELinux.  This is where permissive domains are useful.  Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.
 
Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced.  However, this is problematic if only one application or service is being deployed to a system that is already up and running in production.  Running in permissive mode is effectively disabling SELinux.  This is where permissive domains are useful.  Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.
  
There are two ways to make a domain permissive.  If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:
+
There are two ways to make a domain permissive.  If you are writing a policy for your ''myapp_t'' domain, simply add the following statement to its .te file and rebuild the policy:
  
 
  permissive myapp_t;
 
  permissive myapp_t;
  
As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode.  Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.
+
As long as this statement is compiled into the policy, the ''myapp_t'' domain will run in permissive mode.  Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.
  
 
Alternatively, the semanage program can set the myapp_t domain permissive:
 
Alternatively, the semanage program can set the myapp_t domain permissive:
Line 14: Line 14:
  
 
  # semanage permissive -d myapp_t
 
  # semanage permissive -d myapp_t
 +
 +
Permissive domains are not the same thing as unconfined domains (such as ''unconfined_t''). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.

Revision as of 19:01, 19 November 2009

Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one application or service is being deployed to a system that is already up and running in production. Running in permissive mode is effectively disabling SELinux. This is where permissive domains are useful. Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.

There are two ways to make a domain permissive. If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:

permissive myapp_t;

As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode. Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.

Alternatively, the semanage program can set the myapp_t domain permissive:

# semanage permissive -a myapp_t

And to remove it from permissive domain mode, use the following semanage command:

# semanage permissive -d myapp_t

Permissive domains are not the same thing as unconfined domains (such as unconfined_t). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.