On 04/19/2014 03:53 PM, Kernel freak wrote: > Hello friends, > I am starting a new thread to achieve the objective. > I want to attach my own piece of code wherever SELinux takes access > decision or Policy decision point. So for example, whenever it queries > the database to check the rule, I want to return "allowed" everytime > through code and not by using Permissive mode. It is very important I > don't use permissive mode. > > My point of confusion is which part of code I should look to see where > there is a policy decision point where database is queried. As far as I > understand, a return of '0' means access is allowed. I tried hardcoding > rc=0 in many situations, but there are a lot of denials I am getting. > > Kindly let me know. Thank you for your time. Permissive mode still logs the denial even though it does not return an error to the caller and allows the system call to proceed. So that is why you still see avc denial messages even if you return 0 from avc_denied(), just like permissive mode. If you want to allow everything with no log messages, then just change security_compute_av() to just goto allow, where it sets the avd->allowed vector to all-bits-set (i.e. all permissions granted) and returns. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
