Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22173

Remove domains from permissive

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.4
    • selinux-policy
    • None
    • selinux-policy-38.1.38-1.el9
    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 12
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • CY24Q2
    • Hide

      The number of permissive domains should be zero. The rhcd_t domain is an exception.

      Show
      The number of permissive domains should be zero. The rhcd_t domain is an exception.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .Four RHEL services removed from SELinux permissive mode

      The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

      * `afterburn_t`
      * `bootupd_t`
      * `mptcpd_t`
      * `rshim_t`

      Previously, these services from packages recently added to RHEL 9 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.
      Show
      .Four RHEL services removed from SELinux permissive mode The following SELinux domains for RHEL services have been removed from SELinux permissive mode: * `afterburn_t` * `bootupd_t` * `mptcpd_t` * `rshim_t` Previously, these services from packages recently added to RHEL 9 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.
    • Done
    • None

      There are currently 4 domains in selinux-policy in permissive mode:

      rhel94# seinfo --permissive

      Permissive Types: 5
        afterburn_t
        coreos_installer_t
        mptcpd_t
        rhcd_t
        rshim_t

      The domains are confined in Fedora for some time:

      afterburn https://github.com/fedora-selinux/selinux-policy/pull/1362

      coreos-installer https://github.com/fedora-selinux/selinux-policy/pull/1604

      mptcpd https://github.com/fedora-selinux/selinux-policy/pull/1453

      rshim https://github.com/fedora-selinux/selinux-policy/pull/1471

      with very little subsequent updates. There is one open issue with afterburn: https://bugzilla.redhat.com/show_bug.cgi?id=2254975

      Permissive mode of rhcd_t is handled in the rhc package scripts.

       

              rhn-support-zpytela Zdenek Pytela
              rhn-support-zpytela Zdenek Pytela
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: