Re: checking user status

Larry <selinux@xxxxxxxxxxxxxxxxxxxxxxxxx> · Tue, 18 Aug 2009 11:57:25 -0700

On Tue, Aug 18, 2009 at 11:10 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

On 08/18/2009 01:15 PM, Larry Ross wrote:
> On Tue, Aug 18, 2009 at 5:39 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
>> On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley wrote:

>>> If this is another manifestation of the same problem, then the easiest
>>> approach would be to grab the libselinux .src.rpm, patch
>>> libselinux/src/checkAccess.c to syslog() a message whenever there is a

>>> denial, build and install your patched libselinux, and then retry and
>>> look for the log message.
>>
>> Something like this patch (un-tested, against the current upstream
>> libselinux):

>>
>> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
>> index c1982c7..cae1626 100644
>> --- a/libselinux/src/checkAccess.c
>> +++ b/libselinux/src/checkAccess.c

>> @@ -2,6 +2,7 @@
>>  #include <sys/types.h>
>>  #include <stdlib.h>
>>  #include <errno.h>
>> +#include <syslog.h>
>>  #include "selinux_internal.h"

>>  #include <selinux/flask.h>
>>  #include <selinux/av_permissions.h>
>> @@ -29,7 +30,15 @@ int selinux_check_passwd_access(access_vector_t
>> requested)
>>
>>                if ((retval == 0) && ((requested & avd.allowed) ==

>> requested)) {
>>                        status = 0;
>> +               } else {
>> +                       syslog(LOG_ERR,
>> +                              "avc:  denied { %s } for scontext=%s "

>> +                              "tcontext=%s tclass=passwd\n",
>> +                              security_av_perm_to_string(passwd_class,
>> +                                                         requested),

>> +                              user_context, user_context);
>>                }
>> +
>>                freecon(user_context);
>>         }
>>
>
> Where does the passwd_class come from?

>
>   -- Larry
>
>
>
>
>>
>>
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>

This is not the responsibility of the library to log this fact, it is the responsibility of the tool (passwd) to log
any denials.  I am surprised that we do not audit this event.  Since I think a MAC denial on changing a security sensitive object should probably be audited.

In the meantime, do you have any suggestions on how I can determine what the problem is?

   Thank you,
   Larry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with

the words "unsubscribe selinux" without quotes as the message.