Log in

No account? Create an account

Previous Entry Share Next Entry
Fedora 17 New Security Feature part VIII - New SELinux Domains in F17
Each Fedora we release a bunch of new domains that will run in permissive mode for the release.  When the next release is released, the permissive domains are made enforcing.

In my blog,10 things you probably did not know about SELinux.. #4, I describe how you can interact with permissive domains.

Any ways these are the permissive domains in Fedora 16 that will now be confined.

Fedora 16 Permissive Domains

pptp_t quota_nld_t sshd_sandbox_t nova_ajax_t nova_api_t nova_compute_t nova_direct_t nova_network_t nova_objectstore_t nova_scheduler_t nova_vncproxy_t nova_volume_t rabbitmq_epmd_t rabbitmq_beam_t deltacloudd_t iwhd_t mongod_t thin_t chrome_sandbox_nacl_t matahari_sysconfigd_t

Fedora 17 Permissive Domains

couchdb_t (/usr/bin/couchdb)
blueman_t (/usr/libexec/blueman-mechanism)
httpd_zoneminder_script_t (/usr/libexec/zoneminder/cgi-bin(/.*)?)
zoneminder_t (/usr/bin/zmpkg.pl)
selinux_munin_plugin_t (/usr/share/munin/plugins/selinux_avcstat)
sge_shepherd_t (/usr/bin/sge_shepherd)
sge_execd_t (/usr/bin/sge_execd)
matahari_rpcd_t (/usr/bin/sge_execd)
keystone_t (/usr/bin/keystone-all)
pacemaker_t (/usr/sbin/pacemakerd)

Of course I reserve the right to add to this list.  our goal is to make sure all init/dbus services run with a type other then initrc_t. 

If you see a process on your machine that is shipped from Fedora running as initrc_t, please open a bugzilla on SELinux policy.