On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote: > Add audit log entry to specify whether the decision was made in > permissive mode/permissive domain or enforcing mode. > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > V2 changes: Remove utilities and follow the kernel way of detecting > whether permissive or not. > > libselinux/src/avc.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c > index b1ec57f..96b2678 100644 > --- a/libselinux/src/avc.c > +++ b/libselinux/src/avc.c > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t tsid, > > log_append(avc_audit_buf, " "); > avc_dump_query(ssid, tsid, tclass); > + > + if (denied) > + log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1); > + > log_append(avc_audit_buf, "\n"); > avc_log(SELINUX_AVC, "%s", avc_audit_buf); > > -- > 2.9.3 > I hope you will still submit the utils as well. I think/hope that the selinux_check_access util can be used with shell scripts to create a simple user space object manager example -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
