On 12/13/2016 8:26 AM, Stephen Smalley wrote: > On 11/23/2016 09:17 AM, Dan Jurgens wrote: >> @@ -177,6 +177,8 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, >> avc_ss_reset(0); >> selnl_notify_setenforce(selinux_enforcing); >> selinux_status_update_setenforce(selinux_enforcing); >> + if (!selinux_enforcing) >> + call_lsm_notifier(LSM_POLICY_CHANGE, NULL); > Why do you need this notification? When switching from permissive to > enforcing, you need (and already get) a notification since you may need > to revoke previously granted permissions. But what action do you need > to take on switching to permissive? MAD (management datagram) Agents cache if they are allowed to send and receive subnet management protocol (SMP) datagrams. Without this notification they will still drop all SMPs in permissive mode if they weren't allowed in enforcing mode. This is handled in [PATCH v6 4/9] IB/core: Enforce security on management datagrams. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
