Forward looking to FC2 final and SELinux
Stephen Smalley
sds at epoch.ncsc.mil
Thu Apr 8 11:35:26 UTC 2004
On Thu, 2004-04-08 at 04:28, Arjan van de Ven wrote:
> > I would like to see permissive mode the default,
>
> let me mention one thing to take a misconception away: permissive mode
> does NOT, repeat NOT, mean unchanged behavior of the system compared to
> selinux being off. It *does* change behavior and some things WILL be
> denied.
Are you referring to userland SELinux processing? I think that the
userland patches are checking /selinux/enforce (via security_getenforce)
and acting accordingly, so that they also act "permissively" when the
kernel is in permissive mode. Or are you referring to some aspect of
the kernel SELinux processing that is not governed by permissive mode?
If you are encountering denials in permissive mode, then I'd view that
as a bug; please report it.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the devel
mailing list