On Tue, 2009-08-18 at 12:10 -0700, Larry wrote:
> On Tue, Aug 18, 2009 at 10:15 AM, Larry Ross <selinux.larry@xxxxxxxxx>
> wrote:
>
> On Tue, Aug 18, 2009 at 5:39 AM, Stephen Smalley
> <sds@xxxxxxxxxxxxx> wrote:
> On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley
> wrote:
> > If this is another manifestation of the same
> problem, then the easiest
> > approach would be to grab the libselinux .src.rpm,
> patch
> > libselinux/src/checkAccess.c to syslog() a message
> whenever there is a
> > denial, build and install your patched libselinux,
> and then retry and
> > look for the log message.
>
>
> Something like this patch (un-tested, against the
> current upstream
> libselinux):
>
> diff --git a/libselinux/src/checkAccess.c
> b/libselinux/src/checkAccess.c
> index c1982c7..cae1626 100644
> --- a/libselinux/src/checkAccess.c
> +++ b/libselinux/src/checkAccess.c
> @@ -2,6 +2,7 @@
> #include <sys/types.h>
> #include <stdlib.h>
> #include <errno.h>
> +#include <syslog.h>
> #include "selinux_internal.h"
> #include <selinux/flask.h>
> #include <selinux/av_permissions.h>
> @@ -29,7 +30,15 @@ int
> selinux_check_passwd_access(access_vector_t requested)
>
> if ((retval == 0) && ((requested &
> avd.allowed) == requested)) {
> status = 0;
> + } else {
> + syslog(LOG_ERR,
> + "avc: denied { %s }
> for scontext=%s "
> + "tcontext=%s
> tclass=passwd\n",
> +
> security_av_perm_to_string(passwd_class,
> +
> requested),
> + user_context,
> user_context);
>
> Looks like this should have been:
> syslog(LOG_ERR,
> "avc: denied { %s } for scontext=%s "
> "tcontext=%s tclass=passwd\n",
>
> security_av_perm_to_string(SECCLASS_PASSWD,
> requested),
> user_context, user_context);
>
>
> Where should the reference to "security_av_perm_to_string'" come from?
>
> checkAccess.lo: In function `selinux_check_passwd_access':
> checkAccess.c:(.text+0x9d): undefined reference to
> `security_av_perm_to_string'
My patch was relative to the latest version of libselinux from
http://userspace.selinuxproject.org. The one shipped in RHEL5 is
obviously much older and may lack that function. The older function
would have been print_access_vector() and/or avc_dump_av(), but you'd
have to adjust them to syslog() the output. Or you could patch, build,
and install the latest libselinux from userspace.selinuxproject.org.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
