Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Justin Smith <jsmith_at_mcs.drexel.edu>
subject: Question
Date: 19 Dec 2001 16:06:46 -0500
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: Question"
  • Previous message: Stephen Smalley: "Re: setting up new test user domain?"
  • Next in thread: Stephen Smalley: "Re: Question"
  • Reply: Stephen Smalley: "Re: Question"
  • Reply: Stephen Smalley: "[PATCH] avc_enforcing (Was: Re: Question)"


Is there a simple way to determine whether the system is in enforcing or permissive mode (other than issuing the avc_toggle command twice)?
--

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Question
Date: Wed, 19 Dec 2001 16:29:23 -0500 (EST)
  • This message: [ Message body ]
  • Next message: lonnie_at_outstep.com: "Re: setting up new test user domain?"
  • Previous message: Justin Smith: "Question"
  • In reply to: Justin Smith: "Question"
  • Next in thread: Stephen Smalley: "[PATCH] avc_enforcing (Was: Re: Question)"

On 19 Dec 2001, Justin Smith wrote:

> Is there a simple way to determine whether the system is in enforcing or
> permissive mode (other than issuing the avc_toggle command twice)?

Not currently. We originally created the Development option and avc_toggle with the intent of only using it for the development of security policy configurations, expecting that one would build a kernel without the option for operational use once the desired policy configuration had been developed. However, some people may choose to always use a kernel with this option enabled and use avc_toggle in an rc script to switch into enforcing mode during initialization so that they can revert to permissive mode later from an authorized domain. In that situation, I can see that it would be useful to be able to determine whether the kernel is currently permissive or enforcing. Curiously, I received this same question via private email from another person earlier this week.

I suppose that we can add this to our TODO list. It should be quite trivial. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Stephen Smalley <sds_at_tislabs.com>
subject: [PATCH] avc_enforcing (Was: Re: Question)
Date: Fri, 21 Dec 2001 10:51:17 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Russell Coker: "su etc"
  • Previous message: Noah silva: "Re: Debian SE Linux ?"
  • In reply to: Justin Smith: "Question"

On 19 Dec 2001, Justin Smith wrote:

> Is there a simple way to determine whether the system is in enforcing or
> permissive mode (other than issuing the avc_toggle command twice)?

The attached patches add a call and program that will allow you to test whether the system is enforcing or permissive without toggling. The first patch should be applied to the lsm tree, and the second patch should be applied to the selinux tree. Apply the patches, rebuild your kernel, do a 'make install' in the selinux/module directory to reinstall the header files used by libsecure, and rebuild and install libsecure. After booting the new kernel, you can run avc_enforcing to see whether the system is enforcing or permissive. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com









--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.




    

  • TEXT/PLAIN attachment: esyscall.patch
    • 




    

  • TEXT/PLAIN attachment: elib.patch
    •
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security