On Wed, 2009-04-15 at 08:15 -0400, Daniel J Walsh wrote: > On 04/14/2009 02:42 PM, Colin Walters wrote: > > Hi, > > > > I'd like broader input on: > > http://bugs.freedesktop.org/show_bug.cgi?id=21072 > > > > Is this something we can do inside libselinux itself? Or are we > > planning similar patches around avc_has_perm calls for the X server, > > libvirt and other userspace programs? > > > > -- > > This message was distributed to subscribers of the selinux mailing list. > > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > > the words "unsubscribe selinux" without quotes as the message. > > So the question is whether the API should return allowed when in > permissive mode rather then denied and make every App server code up > permissive mode check. > > > We have had several bugs where tools have not checked whether the > machine is in permissive mode when doing an access check. One > possibility would be to generate the AVC in the check code when in > permissive mode or always generat the AVC, there an return allowed. > > If you look at the calling apps point of view it is asking if the user > should be allowed the access and in permissive mode he should be allowed > the access. avc_has_perm() already checks for permissive mode internally, unlike security_compute_av(). However, in this case, the problem is not that permission was denied but rather that one of the security contexts is no longer valid. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
