In looking at the userspace AVC netlink and sestatis code, I noticed there are a few discrepancies between the two mechanisms. Considering sestatus is intended (AFAICT) to be a swap-in replacement for netlink, I'd expect all of the same code paths to be covered. This doesn't seem to be the case. One such difference is the handling of `setenforce` events in `selinux_status_updated/setenforce()`. While netlink updates the internal `avc_enforcing` state, `selinux_status_updated/setenforce()` do not. Any userspace object manager wishing to use sestatus with the internal AVC is not guaranteed to have accurate state during calls to `avc_has_perm_noaudit`, unless they reach out to netlink. sestatus was initially implemented for use in sepgsql, which did not require use of `avc_has_perm_noaudit`. To more robustly support use of sestatus, I'm proposing that we improve upon the sestatus code by having it update/reset AVC internal state (avc_enforcing, for example) on status events. Would such a patch be of interest? Or would it be simpler to just update `avc_has_perm_noaudit` to query sestatus for enforcing, rather than refer to `avc_enforcing`? A few questions further questions in case this improvement is of interest: 1) Should there be separate callbacks for netlink counterparts in sestatus, or is the existing infrastructure suitable for implementing handling of those events? 2) With netlink we're guaranteed sequential processing of events. The same is not true for mmap()'ed status updates. Do we care about the order in which events are processed? Thanks in advance, -- Mike Palmiotto https://crunchydata.com
