On 10/27/2013 09:43 AM, Laurent Bigonville wrote: > Hello, > > After some debugging on Debian to figure out why D-Bus why denying > messages between my user session and policykit with SELinux in > permissive mode, eparis pointed me that Fedora has a patch for this in > the avc_has_perm() function. > > The patch[0] itself seems pretty trivial and I was wondering if it (or > something similar) could be merged in the upstream codebase. > > But, if I'm not wrong, this patch makes avc_has_perm() and > avc_has_perm_noaudit() have different behavior when the machine is > running in permissive mode, shouldn't this be tested in the > avc_has_perm_noaudit() function instead? I'm pretty sure I NAKed that previously. Permissive mode isn't supposed to hide other kinds of errors/bugs other than policy denials, so making it hide arbitrary error conditions (which could include completely bogus security contexts, security classes, memory allocation failure, etc) is definitely not a good thing. Particularly if there is absolutely no logging of what the issue was so that you have a hope of noting it before switching to enforcing. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
