Details
In addition to setting the entire SELinux configuration in permissive mode, it is possible to set individual process types (domains) such as named_t into a permissive mode as well. The permissive mode will not prevent any access or actions, instead, any actions that would have been denied are simply logged.
Rationale:
Usage of the permissive mode is helpful for testing and ensuring that SELinux will not prevent access that is necessary for the proper function of the DNS server. However, inappropriate access will not be prevented in permissive mode by SELinux.
Solution
Perform the following to implement the recommended state:
If the named_t type is in permissive mode; the customized permissive mode should be deleted with the following semanage command.
# semanage permissive -d named_t
Default Value:
The named_t type is not in permissive mode by default.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.