Add SELinux permissive domains to fedora kernels

Eric Paris eparis at redhat.com
Mon Mar 31 18:07:44 UTC 2008


I know its way late but I'd like to add a new SELinux concept to the F9
kernels.  Its going to be a backport of a couple of my changesets headed
upstream

http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=32021b669089eb9b264e6b26af4d9a47eb50d4f1
http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=70d212ebfdd5e39a9d4fb0f8f7ea5c38486f6b04
http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=559dbbc87d0a5d2eb88bbbea5f2b66ee2dfd55d6

Only the third patch is truly interesting.

A permissive domain is a new concept in which a sysadmin can say that a
given domain is free to do anything it wants.  Lets say a user seriously
customized httpd and they want httpd to just be allowed to run wild
while still keeping enforcing for everything else in the system.  With
the kernel patch I want to commit and the userspace changes dan has
already pushed this week they just need a simple policy which says
"permissive httpd_t" and all their httpd_t denials become allows!

One of the upstream patches adds a BUG_ON() but I'm still a teensy bit
scared of it so in the F9 patch I'll probably make it a WARN_ON since it
isn't really deadly to the kernel...   anyway.  Chances of regression
here are very very low.

I would just jam this in myself but we are getting really late and I
wanted people to be able to tell me no before I did it.  If noone
strongly objects quickly expect to see a commit message early this
week....

-Eric




More information about the Fedora-kernel-list mailing list