Thanks a lot. -----Original Message----- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: 2017年3月13日 21:10 To: Weiyuan (David, Euler) <weiyuan....@huawei.com>; Roberts, William C <william.c.robe...@intel.com> Cc: 'seandroid-list@tycho.nsa.gov' <seandroid-list@tycho.nsa.gov>; Lihui (Eric) <lih...@huawei.com> Subject: Re: Questions about disable SECURITY_SELINUX_DEVELOP
On Mon, 2017-03-13 at 08:40 +0000, Weiyuan (David, Euler) wrote: > Hi > > Currently I’m thinking about disable SECURITY_SELINUX_DEVELOP by > default to enhance security, So hacker can not easily turn off > selinux by modify the global variable “selinux_enforing”. > > Question: > If SECURITY_SELINUX_DEVELOP is disabled, the kernel will run in > enforcing mode from start, but there is no policy before init process > load sepolicy into kernel. > In this no policy but enforcing stage, what will kernel behave? Will > there be avc denied before loading sepolicy? Until the policy is loaded, the security server allows all permissions. See security/selinux/ss/services.c:security_compute_av(), the !ss_initialized case. So, no, you won't get any avc denials before loading policy. The security server resets the AVC upon policy loads, so any permissions cached before loading policy will be flushed upon the first policy load and rechecked on subsequent operations. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.