On Wed, Sep 21, 2022 at 2:54 PM <jeffxu@xxxxxxxxxxxx> wrote: > > From: Jeff Xu <jeffxu@xxxxxxxxxxxx> > > When SECURITY_SELINUX_DEVELOP=y and the system is running in permissive > mode, it is useful to disable logging from permissive domain, so audit > log does not get spamed. > > Signed-off-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > Signed-off-by: Luis Hector Chavez <lhchavez@xxxxxxxxxx> > Tested-by: Luis Hector Chavez <lhchavez@xxxxxxxxxxxx> > Tested-by: Jeff Xu<jeffxu@xxxxxxxxxxxx> > --- > security/selinux/Kconfig | 10 ++++++++++ > security/selinux/avc.c | 9 +++++++++ > 2 files changed, 19 insertions(+) I'm sorry, but I can't accept this into the upstream kernel. Permissive mode, both per-domain and system-wide, is not intended to be a long term solution. Permissive mode should really only be used as a development tool or emergency "hotfix" with the proper solution being either an adjustment of the existing policy (SELinux policy booleans, labeling changes, etc.) or the development of a new policy module which better fits your use case. -- paul-moore.com
