Thank you stephen. But you had also mentioned that security_compute_av() are void functions from kernel 3.0, then how is it responsible if access is allowed or not. Kindly clarify. Thank you for your time.
On Mon, Apr 21, 2014 at 3:01 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
Permissive mode still logs the denial even though it does not return anOn 04/19/2014 03:53 PM, Kernel freak wrote:
> Hello friends,
> I am starting a new thread to achieve the objective.
> I want to attach my own piece of code wherever SELinux takes access
> decision or Policy decision point. So for example, whenever it queries
> the database to check the rule, I want to return "allowed" everytime
> through code and not by using Permissive mode. It is very important I
> don't use permissive mode.
>
> My point of confusion is which part of code I should look to see where
> there is a policy decision point where database is queried. As far as I
> understand, a return of '0' means access is allowed. I tried hardcoding
> rc=0 in many situations, but there are a lot of denials I am getting.
>
> Kindly let me know. Thank you for your time.
error to the caller and allows the system call to proceed. So that is
why you still see avc denial messages even if you return 0 from
avc_denied(), just like permissive mode.
If you want to allow everything with no log messages, then just change
security_compute_av() to just goto allow, where it sets the avd->allowed
vector to all-bits-set (i.e. all permissions granted) and returns.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
