On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@xxxxxxxxxxxxxx> wrote:
> Can anyone explain the following AVC denial? What is the purpose of
> /selinux/null and why would ifconfig open it instead of /dev/null?
>
> type=1400 audit(1311107387.404:18): avc: denied { use } for pid=2211
> comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd
That is neat! so /selinux/null is the same thing as /dev/null. When
a task exec's a new task and the child does not have permission to an
open fd the kernel will close the fd and open /selinux/null in it's
place. In this case it's not the label on the actual inode that is a
problem but it is instead the label on the fd. at some point
ifconfig_t was passed an fd it couldn't use and the kernel replaced it
with /selinux/null. ifconfig then leaked that fd onto wpa_supplicant.
My guess is that the real bug is whatever tried to pass ifconfig an fd
which it was not allowed to use. Then we work from there.....
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
