On Tue, 2009-06-16 at 11:19 -0400, Daniel J Walsh wrote:
> On 06/16/2009 10:55 AM, Eric Paris wrote:
> > On Tue, 2009-06-16 at 10:40 -0400, Steve Grubb wrote:
> >> On Tuesday 16 June 2009 10:26:46 am Eric Paris wrote:
> >>> On Tue, 2009-06-16 at 09:43 +0900, KaiGai Kohei wrote:
> >>>> Stephen Smalley wrote:
> >>>>
> >>>> For example, how do you feel the example on security_compute_av() time?
> >>>>
> >>>> type=SELINUX_INFO msg=audit(1245046106.725:65): \
> >>>> op=security_compute_av masked=bounds \
> >>>> scontext=system_u:system_r:user_webapp_t:s0 \
> >>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 \
> >>>> tclass=file { setattr write }
> >>>
> >>> I feel good for all but the { setattr write }
> >>>
> >>> It's a new message, we have no parsers which need the old format, how
> >>> would others feel about
> >>>
> >>> perm="setattr,write" ?
> >>
> >> I'd recommend losing the quotes. I think you are doing this because of
> >> untrusted_string, but I doubt the user can influence this.
> >
> > I'm starting to buy into the 'quotes makes it easy to know it's a
> > string' argument from jdennis. Figure these are low volume and it
> > doesn't hurt. (audit_log_string was actually what I was thinking, not
> > 'untrustedstring')
> >
> >> But I am also wondering if SELINUX_INFO is the most descriptive type name for
> >> what the record really means? Does this also result in a syscall record if
> >> audit is enabled?
> >
> > Haven't seen the code :)
> >
> > -Eric
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> > the words "unsubscribe selinux" without quotes as the message.
>
> I agree name value pairs is excellent, then we can cleanup the tools
> that analyze the avcs. And what is an SELINUX_INFO, if this is a denial
> it should be a AVC.
It isn't an AVC. It is an internal inconsistency within the policy,
where an allow rule gave a child type more permissions than its parent.
It would be caught at policy link/expand time if expand-check=1 were
enabled in semanage.conf (same as neverallows), but will be caught at
runtime otherwise during compute_av processing.
It may later lead to an AVC if/when the particular permission is
checked.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
