PermissiveDomainRecipe

From SELinux Wiki
Revision as of 15:24, 12 November 2009 by ChrisPeBenito (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one application or service is being deployed to a system that is already up and running in production. Running in permissive mode is effectively disabling SELinux. This is where permissive domains are useful. Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.

There are two ways to make a domain permissive. If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:

permissive myapp_t;

As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode. Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.

Alternatively, the semanage program can set the myapp_t domain permissive:

# semanage permissive -a myapp_t

And to remove it from permissive domain mode, use the following semanage command:

# semanage permissive -d myapp_t