6:07 p.m.
Should programs function the same / compute the same results when
running a system with SELinux enabled but in permissive mode as when
running a system with SELinux disabled? I would have thought the only
expected visible difference would be the presence or absence of
warning messages.
I am now running an application which does not yet have a complete
or correct SELinux policy, so I edited /etc/selinux/config to contain:
SELINUX=permissive
saved, rebooted. I was surprised to subsequently see in
/var/log/messages lines such as:
...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on
z.sock.
If SELINUX=disabled is set and saved in /etc/selinux/config, after
reboot no messages about preventing writes appear in /var/log/messages
when running the same daemons and applications.
I have not yet delved into the code enough to confirm or deny
whether these writes were allowed or not (when running in permissive
mode). Does setroubleshoot log the same messages whether they are
errors (enforcing mode, plausible wording as above) or warnings
(permissive mode, better if worded something like:
...setroubleshoot: SELinux warns about (inconsistent with policy) ...
)? If I determine the actions matched the log message, should the
bugzilla be filed against the policy, or setroubleshoot, or some other
component?
Fedora 13
selinux-policy-targeted-3.7.19-33.fc13.noarch
setroubleshoot-2.2.88-1.fc13.x86_64
Cheers,
Nelson
7:58 p.m.
On Thu, Jul 29, 2010 at 7:07 PM, Nelson Strother <xunilarodef(a)gmail.com> wrote:
If SELINUX=disabled is set and saved in /etc/selinux/config, after
reboot no messages about preventing writes appear in /var/log/messages
when running the same daemons and applications.
These messages are normal if in permissive, and no access is being
denied. These are simply warnings in that case.
7:23 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/29/2010 07:07 PM, Nelson Strother wrote:
Should programs function the same / compute the same results when
running a system with SELinux enabled but in permissive mode as when
running a system with SELinux disabled? I would have thought the only
expected visible difference would be the presence or absence of
warning messages.
I am now running an application which does not yet have a complete
or correct SELinux policy, so I edited /etc/selinux/config to contain:
SELINUX=permissive
saved, rebooted. I was surprised to subsequently see in
/var/log/messages lines such as:
...setroubleshoot: SELinux is preventing /usr/bin/perl "write" access on
z.sock.
If SELINUX=disabled is set and saved in /etc/selinux/config, after
reboot no messages about preventing writes appear in /var/log/messages
when running the same daemons and applications.
I have not yet delved into the code enough to confirm or deny
whether these writes were allowed or not (when running in permissive
mode). Does setroubleshoot log the same messages whether they are
errors (enforcing mode, plausible wording as above) or warnings
(permissive mode, better if worded something like:
...setroubleshoot: SELinux warns about (inconsistent with policy) ...
)? If I determine the actions matched the log message, should the
bugzilla be filed against the policy, or setroubleshoot, or some other
component?
Fedora 13
selinux-policy-targeted-3.7.19-33.fc13.noarch
setroubleshoot-2.2.88-1.fc13.x86_64
Cheers,
Nelson
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux in permissive mode
means that the kernel reports all of the bugs
denials as if it was in enforcing mode, but then allows the syscall to
succeed. If you looked at the AVC record
ausearch -m avc -ts recent
You will see the syscall record. It includes a name value pare of
success=yes or success=no. If the machine is in permissive mode these
flags will be success=yes, indicating the syscall was NOT denied. If
the machine is enforcing mode it will USUALLY report success=no, It can
report success=yes if the Process Domain is a permissive domain, or in
some cases a syscall can generate an AVC but still succeed, by going
down a different code path in the kernel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxSxFoACgkQrlYvE4MpobPowgCfTJa48WD8NG5xSwQiLi09kkG7
FlkAoLXcZ8X+njTP+But+cS+zNWLRt/4
=j+UF
-----END PGP SIGNATURE-----
5012
days inactive
5013
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Daniel J Walsh -
Jon Stanley -
Nelson Strother