PermissiveDomainRecipe

From SELinux Wiki
Revision as of 18:29, 31 August 2010 by Jaxelson (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one application or service is being deployed to a system that is already up and running in production. Running in permissive mode is effectively disabling SELinux. This is where permissive domains are useful. Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.

There are two ways to make a domain permissive. If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:

permissive myapp_t;

As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode. Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.

Alternatively, the semanage program can set the myapp_t domain permissive:

# semanage permissive -a myapp_t

And to remove it from permissive domain mode, use the following semanage command:

# semanage permissive -d myapp_t

Permissive domains are not the same thing as unconfined domains (such as unconfined_t). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.