-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/27/2013 09:43 AM, Laurent Bigonville wrote: > Hello, > > After some debugging on Debian to figure out why D-Bus why denying messages > between my user session and policykit with SELinux in permissive mode, > eparis pointed me that Fedora has a patch for this in the avc_has_perm() > function. > > The patch[0] itself seems pretty trivial and I was wondering if it (or > something similar) could be merged in the upstream codebase. > > But, if I'm not wrong, this patch makes avc_has_perm() and > avc_has_perm_noaudit() have different behavior when the machine is running > in permissive mode, shouldn't this be tested in the avc_has_perm_noaudit() > function instead? > > my 2¢, > > Laurent Bigonville > > [0] > http://pkgs.fedoraproject.org/cgit/libselinux.git/tree/libselinux-rhat.patch#n704 > > > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes > as the message. > I believe this patch was rejected upstream. Basically upstream wanted the calling apps to check the permissive flags themselves. DBUS argued against it, so we carry a patch for it. The reason this is not in avc_has_perm_noaudit is that we want the avc to be still audited. I agree that it should be moved up to avc_has_perm_noaudit. avc_has_perm_noaudit currently checks the permissive flag on only one code path, but not on failures. The argument is whether or not avc_has_perm* should ever block anything in permissive mode. We believe it should not. I will move the override check to avc_has_perm_noaudit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJuXt0ACgkQrlYvE4MpobNkPwCgmAqYTTwRqfW2HxzyVz2AKrPc 9MgAoLEkCxZ2iNHsWRs+BEJlTwRmV14Y =TiuS -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
