On Wed, 17 Dec 2008, Stephen Smalley wrote:
> In permissive mode, when a permission would be denied for a given
> (source context, target context, target class) triple for the first
> time, the kernel audits the denial (avc: denied) and then adds that
> permission to the allowed vector for that triple in the AVC (access
> vector cache). Thus, subsequent uses of that same permission on that
> same triple will not trigger further denials until the cache entry is
> evicted from the cache (which can happen automatically if we need to
> free up space for use by other entries or explicitly upon either a
> policy reload or changing a policy boolean).
What about adding a kernel option (say, selinux_permissive_debug), which
causes the permission update to be bypassed, but still allows the
operation?
Something like:
int avc_has_perm_noaudit(...)
{
...
if (denied) {
if (flags & AVC_STRICT)
rc = -EACCES;
else if (!selinux_enforcing || security_permissive_sid(ssid))
if (!selinux_permissive_debug)
avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
tsid, tclass);
else
rc = -EACCES;
}
...
}
--
James Morris
<jmorris@xxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
