On Thu, 2004-04-08 at 04:28, Arjan van de Ven wrote: > > I would like to see permissive mode the default, > > let me mention one thing to take a misconception away: permissive mode > does NOT, repeat NOT, mean unchanged behavior of the system compared to > selinux being off. It *does* change behavior and some things WILL be > denied. Are you referring to userland SELinux processing? I think that the userland patches are checking /selinux/enforce (via security_getenforce) and acting accordingly, so that they also act "permissively" when the kernel is in permissive mode. Or are you referring to some aspect of the kernel SELinux processing that is not governed by permissive mode? If you are encountering denials in permissive mode, then I'd view that as a bug; please report it. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
