http://selinuxproject.org/w/?title=PermissiveDomainRecipe&limit=500&action=history&feed=atom PermissiveDomainRecipe - Revision history 2024-03-28T13:16:00Z Revision history for this page on the wiki MediaWiki 1.23.13 http://selinuxproject.org/w/?title=PermissiveDomainRecipe&diff=1006&oldid=prev Jaxelson: added category 2010-08-31T18:29:39Z <p>added category</p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 18:29, 31 August 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 16:</td> <td colspan="2" class="diff-lineno">Line 16:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Permissive domains are not the same thing as unconfined domains (such as ''unconfined_t''). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Permissive domains are not the same thing as unconfined domains (such as ''unconfined_t''). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Recipes]]</ins></div></td></tr> </table> Jaxelson http://selinuxproject.org/w/?title=PermissiveDomainRecipe&diff=815&oldid=prev JoshuaBrindle at 19:01, 19 November 2009 2009-11-19T19:01:52Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:01, 19 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced.&#160; However, this is problematic if only one application or service is being deployed to a system that is already up and running in production.&#160; Running in permissive mode is effectively disabling SELinux.&#160; This is where permissive domains are useful.&#160; Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced.&#160; However, this is problematic if only one application or service is being deployed to a system that is already up and running in production.&#160; Running in permissive mode is effectively disabling SELinux.&#160; This is where permissive domains are useful.&#160; Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>There are two ways to make a domain permissive.&#160; If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>There are two ways to make a domain permissive.&#160; If you are writing a policy for your <ins class="diffchange diffchange-inline">''</ins>myapp_t<ins class="diffchange diffchange-inline">'' </ins>domain, simply add the following statement to its .te file and rebuild the policy:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; permissive myapp_t;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; permissive myapp_t;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode.&#160; Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>As long as this statement is compiled into the policy, the <ins class="diffchange diffchange-inline">''</ins>myapp_t<ins class="diffchange diffchange-inline">'' </ins>domain will run in permissive mode.&#160; Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, the semanage program can set the myapp_t domain permissive:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Alternatively, the semanage program can set the myapp_t domain permissive:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 14:</td> <td colspan="2" class="diff-lineno">Line 14:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; # semanage permissive -d myapp_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; # semanage permissive -d myapp_t</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Permissive domains are not the same thing as unconfined domains (such as ''unconfined_t''). Unconfined domains run with no or few restrictions but do not log any requested access whereas permissive domains will log access what would be denied in order to help you write a policy for the domain without putting the entire system in permissive mode. Use the normal tools such as audit2allow while a type is permissive, and when you are happy with its policy you can take it out of permissive mode by either removing the 'permissive myapp_t;' statement from the policy or by running the semanage command above.</ins></div></td></tr> </table> JoshuaBrindle http://selinuxproject.org/w/?title=PermissiveDomainRecipe&diff=795&oldid=prev ChrisPeBenito: New page: Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one ... 2009-11-12T15:24:32Z <p>New page: Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one ...</p> <p><b>New page</b></p><div>Permissive mode in SELinux is useful for developing and debugging policies since, as the system runs, access denials are logged but not enforced. However, this is problematic if only one application or service is being deployed to a system that is already up and running in production. Running in permissive mode is effectively disabling SELinux. This is where permissive domains are useful. Permissive domains are individual domains that are specified to run in permissive mode, allowing the remainder of the system to be in enforcing mode.<br /> <br /> There are two ways to make a domain permissive. If you are writing a policy for your myapp_t domain, simply add the following statement to its .te file and rebuild the policy:<br /> <br /> permissive myapp_t;<br /> <br /> As long as this statement is compiled into the policy, the myapp_t domain will run in permissive mode. Simply delete the statement and rebuild the policy to remove the domain from permissive domain mode.<br /> <br /> Alternatively, the semanage program can set the myapp_t domain permissive:<br /> <br /> # semanage permissive -a myapp_t<br /> <br /> And to remove it from permissive domain mode, use the following semanage command:<br /> <br /> # semanage permissive -d myapp_t</div> ChrisPeBenito