On Thu, 2012-02-16 at 09:37 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/16/2012 09:25 AM, Stephen Smalley wrote: > > On Tue, 2012-02-14 at 16:22 -0500, Daniel J Walsh wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> I would like to patch libselinux to always return 0 on > >> avc_has_perm if the machine is in permissive mode. > >> > >> This will allow Userspace Object Managers to work even if the > >> system is totally mislabeled and processes as running with bad > >> context. Currently if a program like dbus asks with a bad process > >> label it can get denials even in permissive mode. > >> > >> Does anyone see a problem with this? > > > > I'm not fond of it. Permissive mode is just supposed to control > > whether permission is granted, not to hide other kinds of errors. > > Consider how difficult debugging of an actual failure will be if it > > only shows up in enforcing mode even though it has nothing to do > > with policy. > > > Well I guess I can only due the return in the audit_has_perm not the > audit_has_perm_noaudit, since then the audit message will get > generated but dbus,passwd,xserver ... will allow the access. > > If an app calls audit_has_perm_noaudit, it will still return failure. That doesn't help. The issue is that avc_has_perm can fail for reasons other than permission failure (which is why you are making this change), but those other reasons are not logged/audited, so if you make them succeed in permissive mode, then they won't be seen there. At all. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
