-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2011 09:31 PM, Eric Paris wrote:
> On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@xxxxxxxxxxxxxx>
> wrote:
>> Can anyone explain the following AVC denial? What is the purpose
>> of /selinux/null and why would ifconfig open it instead of
>> /dev/null?
>>
>> type=1400 audit(1311107387.404:18): avc: denied { use } for
>> pid=2211 comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22
>> scontext=system_u:system_r:NetworkManager_t:s0
>> tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd
>
> That is neat! so /selinux/null is the same thing as /dev/null.
> When a task exec's a new task and the child does not have permission
> to an open fd the kernel will close the fd and open /selinux/null in
> it's place. In this case it's not the label on the actual inode that
> is a problem but it is instead the label on the fd. at some point
> ifconfig_t was passed an fd it couldn't use and the kernel replaced
> it with /selinux/null. ifconfig then leaked that fd onto
> wpa_supplicant.
>
> My guess is that the real bug is whatever tried to pass ifconfig an
> fd which it was not allowed to use. Then we work from there.....
>
> -Eric
>
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without
> quotes as the message.
>
>
These are the ones to me that look backwards.
I have a hard time seeing how for ifconfig_t could leak a descriptor to
NetworkManager_t.
Searching through transition rules, I guess the following is possible.
ifconfig_t -> insmod_t -> initrc_t -> NetworkManager_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4m0OgACgkQrlYvE4MpobODPQCgzRGr88y8uyHATsLrpyUxxZx9
0H4An1oylKILkp/2qcnlqQObYFYgDVQW
=mYL2
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
