-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would like to patch libselinux to always return 0 on avc_has_perm if
the machine is in permissive mode.
This will allow Userspace Object Managers to work even if the system
is totally mislabeled and processes as running with bad context.
Currently if a program like dbus asks with a bad process label it can
get denials even in permissive mode.
Does anyone see a problem with this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk860IQACgkQrlYvE4MpobNPFwCfVbE1QGJ0M8byHYZlf2U3XpdE
Ga0An2Z2/wBklr/e6OX+4EYTrFDvL69o
=btOY
-----END PGP SIGNATURE-----
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index e7ad31d..2de39b9 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -801,6 +801,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
out:
avc_release_lock(avc_lock);
+ if (!avc_enforcing) return 0;
return rc;
}
