SELINUX in permissive mode *prevents* write access?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2010 07:07 PM, Nelson Strother wrote:
>   Should programs function the same / compute the same results when
> running a system with SELinux enabled but in permissive mode as when
> running a system with SELinux disabled?  I would have thought the only
> expected visible difference would be the presence or absence of
> warning messages.
> 
>   I am now running an application which does not yet have a complete
> or correct SELinux policy, so I edited /etc/selinux/config to contain:
> SELINUX=permissive
> saved, rebooted.  I was surprised to subsequently see in
> /var/log/messages lines such as:
> 
> ...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on z.sock.
> 
> If SELINUX=disabled is set and saved in /etc/selinux/config, after
> reboot no messages about preventing writes appear in /var/log/messages
> when running the same daemons and applications.
> 
>   I have not yet delved into the code enough to confirm or deny
> whether these writes were allowed or not (when running in permissive
> mode).  Does setroubleshoot log the same messages whether they are
> errors (enforcing mode, plausible wording as above) or warnings
> (permissive mode, better if worded something like:
> 
> ...setroubleshoot: SELinux warns about (inconsistent with policy) ...
> 
> )?  If I determine the actions matched the log message, should the
> bugzilla be filed against the policy, or setroubleshoot, or some other
> component?
> 
> Fedora 13
> selinux-policy-targeted-3.7.19-33.fc13.noarch
> setroubleshoot-2.2.88-1.fc13.x86_64
> 
> Cheers,
> Nelson
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux in permissive mode means that the kernel reports all of the bugs
denials as if it was in enforcing mode, but then allows the syscall to
succeed.  If you looked at the AVC record

ausearch -m avc -ts recent

You will see the syscall record.   It includes a name value pare of
success=yes or success=no.  If the machine is in permissive mode these
flags will be success=yes, indicating the syscall was NOT denied.  If
the machine is enforcing mode it will USUALLY report success=no,  It can
report success=yes if the Process Domain is a permissive domain, or in
some cases a syscall can generate an AVC but still succeed, by going
down a different code path in the kernel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxSxFoACgkQrlYvE4MpobPowgCfTJa48WD8NG5xSwQiLi09kkG7
FlkAoLXcZ8X+njTP+But+cS+zNWLRt/4
=j+UF
-----END PGP SIGNATURE-----