On Mon, 2017-04-24 at 16:02 +0100, Richard Haines wrote: > On Mon, 2017-04-24 at 10:06 -0400, Stephen Smalley wrote: > > On Mon, 2017-04-24 at 14:09 +0100, Richard Haines wrote: > > > Only wanted the avd flags to check whether the domain was > > > permissive > > > or not using an selinux_check_access() type call. > > > > Why? What's the intended user? > > I was writing patches to update racoon and pluto to use > selinux_check_access in place of avc_open etc. As these programs also > log useful info I thought I would log the SELinux status (permissive > mode etc. etc. for debugging). The only thing missing was if they > were > running in a permissive domain so I thought I would see if I could > retrieve this as well. With this patch I can check if permission > granted or not and also if permissive domain (provided of course the > call returned the avd flags). > > The other way I thought of was add another entry to selinuxfs and > pass > the context to kernel and get whether permissive domain or not. > > Is there an easier way to detect a permissive domain without reading > the policy ? Why not just mirror what we did in the kernel and add permissive=0|1 to the avc: denied messages? avc_audit() already has the necessary information; you don't need to export it outside of the AVC.
