Re: Allowing all access in SELinux without permissive mode.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
        Thank you so much for the information. Sorry for the delay in replying. I guess I was a bit wrong in understanding the call. What I am looking for is the function which decides the access decision regardless the policy is loaded or not. So, the function/s where it reads the policy file, and depending upon the rule from the policy file returns the decision and logs that decision in AVC. I would not like to use permissive mode for this as I am searching for the way access decisions are made in SELinux. As Security Server(ss) is responsible for relaying the access decisions and not enforcing them, I was searching for them in ss. Kindly point me if I am thinking in a wrong manner. Thank you so much for your time.

Question to mailing list head : While replying to mails in mailing list, should the email reply of people who replied me already be included or not? Thank you.


On Mon, Jan 6, 2014 at 7:57 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On 01/06/2014 11:32 AM, William Roberts wrote:
> On Mon, Jan 6, 2014 at 4:08 AM, Kernel freak <kernelfreak@xxxxxxxxx> wrote:
>> Hello Friends,
>>                       I am currently working on SELinux and as a part of it,
>> I need to make some changes to it. Basically, I would like to allow all
>> access requests, but not by enabling permissive mode.
>
> That's what permissive mode is. It logs all requests not granted and
> allows them to
> happen. Why would you need to modify the code?
>
> If you need finer granularity, you can use the permissive attribute on domains
> so in global enforcing mode, domains declared with this will run in
> permissive mode.

Also, note that the default behavior of security_compute_av() is to
allow everything until you load a policy (until ss_initialized is set).

If you want to allow everything and collect avc messages, you want
permissive mode (either global permissive mode or per-domain permissive
mode).  That logic however is in the AVC (security/selinux/avc.c) not in
the security server (security/selinux/ss/*).

If you want to allow everything and not generate avc messages, you can
just not load a policy.  security_compute_av will already allow
everything by default until you load a policy, just by setting
avd->allowed to all-bits-set.



_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux