From 33ee84f87115f1e0a2a3a6bf61dc89b97a96daa2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 26 Feb 2016 16:50:51 -0800
Subject: [PATCH] logd: Don't trigger an integrity failure on permissive
 SELinux denials

Only trigger an integrity failure if a policy is reloaded or
SELinux is disabled. Don't trigger the integrity failure if
we see a permissive=1 denial, which could occur if an SELinux
domain is in permissive mode.

Bug: 27313768
Bug: 26902605
Change-Id: Ib85a2799eb6378ae8acdb965b1812d691183fdd3
---
 logd/LogAudit.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp
index 230dd1125..7c35dc60d 100644
--- a/logd/LogAudit.cpp
+++ b/logd/LogAudit.cpp
@@ -155,15 +155,15 @@ int LogAudit::logPrint(const char *fmt, ...) {
         }
     }
 
-    bool permissive = strstr(str, " enforcing=0") ||
-                      strstr(str, " permissive=1");
+    bool notEnforcing = strstr(str, " enforcing=0");
+    bool permissive = strstr(str, " permissive=1");
 
-    if (permissive) {
+    if (notEnforcing) {
         // SELinux in permissive mode is not allowed
         enforceIntegrity();
     }
 
-    bool info = loaded || permissive;
+    bool info = loaded || permissive || notEnforcing;
     if ((fdDmesg >= 0) && initialized) {
         struct iovec iov[3];
         static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };