On Wednesday 09 December 2009 03:56:22 pm Russell Coker wrote:
> On Thu, 10 Dec 2009, Paul Moore <paul.moore@xxxxxx> wrote:
> > > Subject: selinux PERMISSIVE blocking tun/tap device creation in v2.6.32
> >
> > I imagine this is because the original reporter is using a SELinux policy
> > without the new TUN socket classes/permissions (which is likely the
> > common case at this point). The unknown class/permission handling that
> > Eric added _should_ protect us from this - Russel do you have any more
> > information about the distribution and policy in use here?
>
> Sorry, the original message apparently wasn't clear enough (I've added some
> caps).
>
> The problem occurred in permissive mode. When the system is in permissive
> mode then SE Linux should not deny any action that Unix permissions will
> permit.
Yes, I agree. The avc_has_perm_noaudit() function, which is called by
avc_has_perm(), checks to see if the system is in enforcing or permissive mode
and does the right thing ... except for one case that I can see, the case
where security_compute_av() returns an error/non-zero value.
Looking at security_compute_av() there is definitely code that will return an
error, even the EINVAL that was reported, but it would appear to only be
possible if the allow unknown classes/permissions flag was set to "no". Could
you please verify with the original reporter that this is the case? It would
also be interesting to see which distribution is shipping policy that has this
flag set to "no".
requested = unmap_perm(orig_tclass, orig_requested);
tclass = unmap_class(orig_tclass);
if (unlikely(orig_tclass && !tclass)) {
if (policydb.allow_unknown)
goto allow;
rc = -EINVAL;
goto out;
}
As for fixing this, there are a few options that I can think of, one of which
is to change avc_has_perm_noaudit() so that it does not return a error code,
only access denials.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
