Yeah but the Zygote failures will be in logcat, so if you missed them when you were testing in permissive mode, then its your problem. This is the same behavior as the rest of the system, we just need to agree upon a "avc denied" message for Zygote and teach the SEAndroidManager app to look for those too. I don't think I can advise as to the best message and was looking to you for a possible formatting for it? On Fri, Jul 27, 2012 at 6:34 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Thu, 2012-07-26 at 13:30 -0700, William Roberts wrote: >> In general I would like to add this feature. I think it is much more >> palatable checking for denials and errors with the device "working", >> rather then having it freak out at the splash screen. For instance, >> suppose the launcher isn't in the right domain, you fix that, just to >> find out some other app luanched off the launcher would fail too. If >> you could just audit, you could review the denials and then make your >> policy change in one movement. >> >> Just doing it for sebool doesn't make sense to me, as adding the >> boolean rule is no different than seinfo or other rules. Either it >> matches or not. > > Understood. But here's the counterargument. Let's suppose I am testing > my system in permissive mode, looking for avc denials in my dmesg and > logcat output (the latter for zygote denials), and everything looks ok. > Now I switch to enforcing mode and suddenly find that all apps fail to > launch because there was an error in my seapp_contexts configuration. I > never thought to look for other kinds of error messages while in > permissive mode (and SEAndroidManager won't currently show me these > other messages). And now I can't switch back to permissive mode without > going to ADB because I can't even run my SEAndroidManager app to set it. > See the concern? > > -- > Stephen Smalley > National Security Agency > -- Respectfully, William C Roberts -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
