SELINUX in permissive mode *prevents* write access?
Nelson Strother
xunilarodef at gmail.com
Thu Jul 29 23:07:38 UTC 2010
Should programs function the same / compute the same results when
running a system with SELinux enabled but in permissive mode as when
running a system with SELinux disabled? I would have thought the only
expected visible difference would be the presence or absence of
warning messages.
I am now running an application which does not yet have a complete
or correct SELinux policy, so I edited /etc/selinux/config to contain:
SELINUX=permissive
saved, rebooted. I was surprised to subsequently see in
/var/log/messages lines such as:
...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on z.sock.
If SELINUX=disabled is set and saved in /etc/selinux/config, after
reboot no messages about preventing writes appear in /var/log/messages
when running the same daemons and applications.
I have not yet delved into the code enough to confirm or deny
whether these writes were allowed or not (when running in permissive
mode). Does setroubleshoot log the same messages whether they are
errors (enforcing mode, plausible wording as above) or warnings
(permissive mode, better if worded something like:
...setroubleshoot: SELinux warns about (inconsistent with policy) ...
)? If I determine the actions matched the log message, should the
bugzilla be filed against the policy, or setroubleshoot, or some other
component?
Fedora 13
selinux-policy-targeted-3.7.19-33.fc13.noarch
setroubleshoot-2.2.88-1.fc13.x86_64
Cheers,
Nelson
More information about the selinux
mailing list