On 9/9/19 1:16 PM, Srivatsa Vaddagiri wrote:
Hello,
I wanted to know the behavior when selinux enforcing mode is
changed at runtime via security_setenforce() API. Lets say we boot
with selinux in permissive mode and after bootup we change it to
enforcing mode. My question is related to the tasks that were created
before we enabled enforcing mode. Would their subsequent file
operations fail once selinux is set to enforcing mode (even though the
policy may have been set to allow their access to say a file)?
No, they would not fail if the operation is allowed by the policy. In
fact, this scenario is typical; commonly, the init process e.g. systemd
performs the initial policy load and switches to enforcing mode.
Further, you can fully boot a Linux distro e.g. Fedora in permissive
mode and then switch to enforcing mode, and nothing should fail unless
denied by policy.
The more complicated scenario is tasks created before initial policy
load, because those may not be assigned the correct security context. To
avoid this, the init process is typically responsible for loading policy
initially and then either re-exec'ing itself or dynamically switching
its own security context to the right value before proceeding.
