On Fri, 2017-04-28 at 15:10 +0200, Dominick Grift wrote: > On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote: > > Add audit log entry to specify whether the decision was made in > > permissive mode/permissive domain or enforcing mode. > > > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > > --- > > V2 changes: Remove utilities and follow the kernel way of detecting > > whether permissive or not. > > > > libselinux/src/avc.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c > > index b1ec57f..96b2678 100644 > > --- a/libselinux/src/avc.c > > +++ b/libselinux/src/avc.c > > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, > > security_id_t tsid, > > > > log_append(avc_audit_buf, " "); > > avc_dump_query(ssid, tsid, tclass); > > + > > + if (denied) > > + log_append(avc_audit_buf, " permissive=%u", result > > ? 0 : 1); > > + > > log_append(avc_audit_buf, "\n"); > > avc_log(SELINUX_AVC, "%s", avc_audit_buf); > > > > -- > > 2.9.3 > > > > I hope you will still submit the utils as well. I think/hope that the > selinux_check_access util can be used with shell scripts to create a > simple user space object manager example Yes I will at some stage - just thinking of how to reply to Stephen's email on the subject and checking what ones I've already submitted to libselinux/utils. I have a number of these little utils/samples/examples that I use to test various bits of libsepol/libselinux and submit those I use to test my patches. Before I submit any I'll take your suggestion into acount. All ideas welcome. >
