Should programs function the same / compute the same results when running a system with SELinux enabled but in permissive mode as when running a system with SELinux disabled? I would have thought the only expected visible difference would be the presence or absence of warning messages. I am now running an application which does not yet have a complete or correct SELinux policy, so I edited /etc/selinux/config to contain: SELINUX=permissive saved, rebooted. I was surprised to subsequently see in /var/log/messages lines such as: ...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on z.sock. If SELINUX=disabled is set and saved in /etc/selinux/config, after reboot no messages about preventing writes appear in /var/log/messages when running the same daemons and applications. I have not yet delved into the code enough to confirm or deny whether these writes were allowed or not (when running in permissive mode). Does setroubleshoot log the same messages whether they are errors (enforcing mode, plausible wording as above) or warnings (permissive mode, better if worded something like: ...setroubleshoot: SELinux warns about (inconsistent with policy) ... )? If I determine the actions matched the log message, should the bugzilla be filed against the policy, or setroubleshoot, or some other component? Fedora 13 selinux-policy-targeted-3.7.19-33.fc13.noarch setroubleshoot-2.2.88-1.fc13.x86_64 Cheers, Nelson -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
