Stephen Smalley wrote:
If a (buggy) caller passes a requested permission value of zero to avc_has_perm, it correctly returns a permission denial (if enforcing),
Now I'm questioning why we don't just return success. Doesn't everyone have permission to do nothing? It seems odd to think that a process could receive "granted" for a set of permissions A, but "denied" for a subset of A.
but avc_audit will report it as a granted message with a "null" access vector (also if enforcing) due to the way in which avc_audit checks for the denied case. This was reported for nscd in https://bugzilla.redhat.com/show_bug.cgi?id=352601, but applies to both the libselinux AVC and the kernel AVC. In permissive mode, avc_has_perm permits the operation, and avc_audit reports nothing at all. So the question is how do we want to handle this case? It is a bug in the caller, but making it a BUG_ON() in the kernel and an assert() in libselinux doesn't seem very graceful, especially if in permissive mode. We could easily adjust avc_audit() to report it as a denied message with a 'null' access vector, although running audit2allow on that output will yield a broken policy module.
-- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
