whyno selinux check
layer 6: pure function over pre-gathered mac state — reads selinux avc decision from systemstate.mac_state
components
- process check_selinux(state)
pure function — reads state.mac_state.selinux. no syscalls at check time.
checks/selinux.rsstate/mac.rs - decision mac_state.selinux probe?
checks the probe<selinuxstate> gathered before the check pipeline ran
- degraded degraded: selinux state not gathered
probe is unknown or inaccessible — selinuxfs not mounted, feature not compiled, or gather failed
- decision selinuxmode?
branches on the enforcement mode captured at gather time
- degraded degraded: selinux disabled
selinux compiled out or disabled at boot — policy not active
- pass pass with warning: permissive mode
policy evaluated but denials logged, not enforced — access proceeds with advisory warning
- decision access_allowed?
pre-computed avc decision from gather time — checks selinuxstate.access_allowed
- pass pass: avc allowed
selinux policy allows this access in enforcing mode
- fail fail: avc denied tclass:perm
selinux policy denies this access in enforcing mode