On Wed, 1 Apr 2009, KaiGai Kohei wrote: > This patch enables applications to handle permissive domain correctly. > > Since the v2.6.26 kernel, SELinux has supported an idea of permissive > domain which allows certain processes to work as if permissive mode, > even if the global setting is enforcing mode. > However, we don't have an application program interface to inform > what domains are permissive one, and what domains are not. > It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL > and so on) cannot handle permissive domain correctly. > > This patch add the sixth field (flags) on the reply of the /selinux/access > interface which is used to make an access control decision from userspace. > If the first bit of the flags field is positive, it means the required > access control decision is on permissive domain, so application should > allow any required actions, as the kernel doing. > > This patch also has a side benefit. The av_decision.flags is set at > context_struct_compute_av(). It enables to check required permissions > without read_lock(&policy_rwlock). > > Signed-off-by: KaiGai Kohei <kaigai@xxxxxxxxxxxxx> Applied. -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
