Re: checking user status

Larry <selinux@xxxxxxxxxxxxxxxxxxxxxxxxx> · Tue, 18 Aug 2009 12:10:13 -0700

On Tue, Aug 18, 2009 at 10:15 AM, Larry Ross <selinux.larry@xxxxxxxxx> wrote:





On Tue, Aug 18, 2009 at 5:39 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:


On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley wrote:
> If this is another manifestation of the same problem, then the easiest
> approach would be to grab the libselinux .src.rpm, patch
> libselinux/src/checkAccess.c to syslog() a message whenever there is a

> denial, build and install your patched libselinux, and then retry and
> look for the log message.

Something like this patch (un-tested, against the current upstream
libselinux):

diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c

index c1982c7..cae1626 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 #include <stdlib.h>
 #include <errno.h>
+#include <syslog.h>

 #include "selinux_internal.h"
 #include <selinux/flask.h>
 #include <selinux/av_permissions.h>
@@ -29,7 +30,15 @@ int selinux_check_passwd_access(access_vector_t requested)

               if ((retval == 0) && ((requested & avd.allowed) == requested)) {

                       status = 0;
+               } else {
+                       syslog(LOG_ERR,
+                              "avc:  denied { %s } for scontext=%s "
+                              "tcontext=%s tclass=passwd\n",

+                              security_av_perm_to_string(passwd_class,
+                                                         requested),
+                              user_context, user_context);

 
Looks like this should have been:
                        syslog(LOG_ERR,
                              "avc:  denied { %s } for scontext=%s "
                              "tcontext=%s tclass=passwd\n",
                              security_av_perm_to_string(SECCLASS_PASSWD,

                                               requested),
                              user_context, user_context);
 
 
Where should the reference to "security_av_perm_to_string'" come from?
 
checkAccess.lo: In function `selinux_check_passwd_access':
checkAccess.c:(.text+0x9d): undefined reference to `security_av_perm_to_string'
 
  -- Larry

 





               }
+
               freecon(user_context);



       }
 
Where does the passwd_class come from?
 
  -- Larry
 
 
 





-- 

Stephen Smalley
National Security Agency








