On 04/14/2009 02:42 PM, Colin Walters wrote:
Hi, I'd like broader input on: http://bugs.freedesktop.org/show_bug.cgi?id=21072 Is this something we can do inside libselinux itself? Or are we planning similar patches around avc_has_perm calls for the X server, libvirt and other userspace programs? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
So the question is whether the API should return allowed when in permissive mode rather then denied and make every App server code up permissive mode check.
We have had several bugs where tools have not checked whether the machine is in permissive mode when doing an access check. One possibility would be to generate the AVC in the check code when in permissive mode or always generat the AVC, there an return allowed.
If you look at the calling apps point of view it is asking if the user should be allowed the access and in permissive mode he should be allowed the access.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
