SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] From: Justin Smith <jsmith_at_mcs.drexel.edu> subject: Question Date: 19 Dec 2001 16:06:46 -0500 This message: [ Message body ] Next message: Stephen Smalley: "Re: Question" Previous message: Stephen Smalley: "Re: setting up new test user domain?" Next in thread: Stephen Smalley: "Re: Question" Reply: Stephen Smalley: "Re: Question" Reply: Stephen Smalley: "[PATCH] avc_enforcing (Was: Re: Question)" Is there a simple way to determine whether the system is in enforcing or permissive mode (other than issuing the avc_toggle command twice)? -- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Stephen Smalley <sds_at_tislabs.com> subject: Re: Question Date: Wed, 19 Dec 2001 16:29:23 -0500 (EST) This message: [ Message body ] Next message: lonnie_at_outstep.com: "Re: setting up new test user domain?" Previous message: Justin Smith: "Question" In reply to: Justin Smith: "Question" Next in thread: Stephen Smalley: "[PATCH] avc_enforcing (Was: Re: Question)" On 19 Dec 2001, Justin Smith wrote: > Is there a simple way to determine whether the system is in enforcing or > permissive mode (other than issuing the avc_toggle command twice)? Not currently. We originally created the Development option and avc_toggle with the intent of only using it for the development of security policy configurations, expecting that one would build a kernel without the option for operational use once the desired policy configuration had been developed. However, some people may choose to always use a kernel with this option enabled and use avc_toggle in an rc script to switch into enforcing mode during initialization so that they can revert to permissive mode later from an authorized domain. In that situation, I can see that it would be useful to be able to determine whether the kernel is currently permissive or enforcing. Curiously, I received this same question via private email from another person earlier this week. I suppose that we can add this to our TODO list. It should be quite trivial. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Stephen Smalley <sds_at_tislabs.com> subject: [PATCH] avc_enforcing (Was: Re: Question) Date: Fri, 21 Dec 2001 10:51:17 -0500 (EST) This message: [ Message body ] Next message: Russell Coker: "su etc" Previous message: Noah silva: "Re: Debian SE Linux ?" In reply to: Justin Smith: "Question" On 19 Dec 2001, Justin Smith wrote: > Is there a simple way to determine whether the system is in enforcing or > permissive mode (other than issuing the avc_toggle command twice)? The attached patches add a call and program that will allow you to test whether the system is enforcing or permissive without toggling. The first patch should be applied to the lsm tree, and the second patch should be applied to the selinux tree. Apply the patches, rebuild your kernel, do a 'make install' in the selinux/module directory to reinstall the header files used by libsecure, and rebuild and install libsecure. After booting the new kernel, you can run avc_enforcing to see whether the system is enforcing or permissive. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. TEXT/PLAIN attachment: esyscall.patch TEXT/PLAIN attachment: elib.patch Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom