On 01/07/2014 10:06 AM, Kernel freak wrote: > Hello, > Thank you so much for the information. Sorry for the delay in > replying. I guess I was a bit wrong in understanding the call. What I am > looking for is the function which decides the access decision regardless > the policy is loaded or not. So, the function/s where it reads the > policy file, and depending upon the rule from the policy file returns > the decision and logs that decision in AVC. I would not like to use > permissive mode for this as I am searching for the way access decisions > are made in SELinux. As Security Server(ss) is responsible for relaying > the access decisions and not enforcing them, I was searching for them in > ss. Kindly point me if I am thinking in a wrong manner. Thank you so > much for your time. The policy is loaded into internal data structures during system initialization (see security_load_policy and the functions it calls), and the security server consults those data structures (see security_compute_av and the functions it calls) to compute the allowed permissions. The decisions are stored in the avd (struct av_decision) returned by the security server to the AVC. You can trace through the code, or read English descriptions in: http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html https://www.imperialviolet.org/2009/07/14/selinux.html http://www.nsa.gov/research/_files/selinux/papers/slinux-abs.shtml Obviously some of these references are quite out of date but can still be helpful in understanding the overall structure and flow. > Question to mailing list head : While replying to mails in mailing list, > should the email reply of people who replied me already be included or > not? Thank you. You can infer it from the way I responded to your email; include the _relevant_ portions of the message to which you are responding, and "bottom posting" rather than "top posting" is preferred. However, this is increasingly counter to the defaults of modern email clients and therefore you will see mixed practice, even by me. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
