-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/29/2010 07:07 PM, Nelson Strother wrote: > Should programs function the same / compute the same results when > running a system with SELinux enabled but in permissive mode as when > running a system with SELinux disabled? I would have thought the only > expected visible difference would be the presence or absence of > warning messages. > > I am now running an application which does not yet have a complete > or correct SELinux policy, so I edited /etc/selinux/config to contain: > SELINUX=permissive > saved, rebooted. I was surprised to subsequently see in > /var/log/messages lines such as: > > ...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on z.sock. > > If SELINUX=disabled is set and saved in /etc/selinux/config, after > reboot no messages about preventing writes appear in /var/log/messages > when running the same daemons and applications. > > I have not yet delved into the code enough to confirm or deny > whether these writes were allowed or not (when running in permissive > mode). Does setroubleshoot log the same messages whether they are > errors (enforcing mode, plausible wording as above) or warnings > (permissive mode, better if worded something like: > > ...setroubleshoot: SELinux warns about (inconsistent with policy) ... > > )? If I determine the actions matched the log message, should the > bugzilla be filed against the policy, or setroubleshoot, or some other > component? > > Fedora 13 > selinux-policy-targeted-3.7.19-33.fc13.noarch > setroubleshoot-2.2.88-1.fc13.x86_64 > > Cheers, > Nelson > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux SELinux in permissive mode means that the kernel reports all of the bugs denials as if it was in enforcing mode, but then allows the syscall to succeed. If you looked at the AVC record ausearch -m avc -ts recent You will see the syscall record. It includes a name value pare of success=yes or success=no. If the machine is in permissive mode these flags will be success=yes, indicating the syscall was NOT denied. If the machine is enforcing mode it will USUALLY report success=no, It can report success=yes if the Process Domain is a permissive domain, or in some cases a syscall can generate an AVC but still succeed, by going down a different code path in the kernel. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxSxFoACgkQrlYvE4MpobPowgCfTJa48WD8NG5xSwQiLi09kkG7 FlkAoLXcZ8X+njTP+But+cS+zNWLRt/4 =j+UF -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
