7.3.4. Permissive Domains
When SELinux is running in permissive mode, SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Previously, it was not possible to make a single domain permissive (remember: processes run in domains). In certain situations, this led to making the whole system permissive to troubleshoot issues.
Fedora 11 introduces permissive domains, where an administrator can configure a single process (domain) to run permissive, rather than making the whole system permissive. SELinux checks are still performed for permissive domains; however, the kernel allows access and reports an AVC denial for situations where SELinux would have denied access. Permissive domains are also available in Fedora 9 (with the latest updates applied).
In Red Hat Enterprise Linux 4 and 5,
Booleans are available to prevent an application from transitioning to a confined domain, and therefore, the process runs in an unconfined domain, such as
initrc_t. Turning such Booleans on can cause major problems. For example, if the
httpd_disable_trans Boolean is turned on:
httpd runs in the unconfined
initrc_t domain. Files created by processes running in the
initrc_t domain may not have the same labeling rules applied as files created by a process running in the
httpd_t domain, potentially allowing processes to create mislabeled files. This causes access problems later on.
confined domains that are allowed to communicate with
httpd_t can not communicate with
initrc_t, possibly causing additional failures.
Booleans were removed from Fedora 7, even though there was no replacement. Permissive domains solve the above issues: transition rules apply, and files are created with the correct labels.
Permissive domains can be used for:
making a single process (domain) run permissive to troubleshoot an issue, rather than putting the entire system at risk by making the entire system permissive.
creating policies for new applications. Previously, it was recommended that a minimal policy be created, and then the entire machine put into permissive mode, so that the application could run, but SELinux denials still logged.
audit2allow could then be used to help write the policy. This put the whole system at risk. With permissive domains, only the domain in the new policy can be marked permissive, without putting the whole system at risk.
220.127.116.11. Making a Domain Permissive
To make a domain permissive, run the
semanage permissive -a
is the domain you want to make permissive. For example, run the following command as the Linux root user to make the
httpd_t domain (the domain the Apache HTTP Server runs in) permissive:
/usr/sbin/semanage permissive -a httpd_t
To view a list of domains you have made permissive, run the
semodule -l | grep permissive command as the Linux root user. For example:
# /usr/sbin/semodule -l | grep permissive
If you no longer want a domain to be permissive, run the
semanage permissive -d
command as the Linux root user. For example:
/usr/sbin/semanage permissive -d httpd_t