On Wed, 2009-08-19 at 10:34 -0400, Stephen Smalley wrote:
> On Tue, 2009-08-18 at 14:10 -0400, Daniel J Walsh wrote:
> > On 08/18/2009 01:15 PM, Larry Ross wrote:
> > > On Tue, Aug 18, 2009 at 5:39 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > >
> > >> On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley wrote:
> > >>> If this is another manifestation of the same problem, then the easiest
> > >>> approach would be to grab the libselinux .src.rpm, patch
> > >>> libselinux/src/checkAccess.c to syslog() a message whenever there is a
> > >>> denial, build and install your patched libselinux, and then retry and
> > >>> look for the log message.
> > >>
> > >> Something like this patch (un-tested, against the current upstream
> > >> libselinux):
> > >>
> > >> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
> > >> index c1982c7..cae1626 100644
> > >> --- a/libselinux/src/checkAccess.c
> > >> +++ b/libselinux/src/checkAccess.c
> > >> @@ -2,6 +2,7 @@
> > >> #include <sys/types.h>
> > >> #include <stdlib.h>
> > >> #include <errno.h>
> > >> +#include <syslog.h>
> > >> #include "selinux_internal.h"
> > >> #include <selinux/flask.h>
> > >> #include <selinux/av_permissions.h>
> > >> @@ -29,7 +30,15 @@ int selinux_check_passwd_access(access_vector_t
> > >> requested)
> > >>
> > >> if ((retval == 0) && ((requested & avd.allowed) ==
> > >> requested)) {
> > >> status = 0;
> > >> + } else {
> > >> + syslog(LOG_ERR,
> > >> + "avc: denied { %s } for scontext=%s "
> > >> + "tcontext=%s tclass=passwd\n",
> > >> + security_av_perm_to_string(passwd_class,
> > >> + requested),
> > >> + user_context, user_context);
> > >> }
> > >> +
> > >> freecon(user_context);
> > >> }
> > >>
> > >
> > > Where does the passwd_class come from?
> > >
> > > -- Larry
> > >
> > >
> > >
> > >
> > >>
> > >>
> > >>
> > >> --
> > >> Stephen Smalley
> > >> National Security Agency
> > >>
> > >>
> > >
> >
> > This is not the responsibility of the library to log this fact, it is the responsibility of the tool (passwd) to log
> > any denials. I am surprised that we do not audit this event. Since I think a MAC denial on changing a security sensitive object should probably be audited.
>
> But only the library function has all the necessary information to
> generate an audit or log record that can be processed by e.g.
> audit2allow (the source and target contexts, class, and permission).
>
> I do agree that the callers should be modified to use the userspace AVC;
> then they would pick up the normal avc auditing support (but would need
> to set up the proper callback to invoke the audit interfaces, just like
> dbusd does).
>
> I think the bug would be against shadow-utils. Did anyone already open
> it?
Actually, it appears to affect:
pam (for pam_rootok)
shadow-utils (for chage)
passwd (for passwd)
util-linux-ng (for chsh, chfn)
cronie (for crontab)
And maybe others.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
