On Wed 20 Jul 02:31:29 2011, Eric Paris wrote:
On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@xxxxxxxxxxxxxx> wrote:
Can anyone explain the following AVC denial? What is the purpose of
/selinux/null and why would ifconfig open it instead of /dev/null?
type=1400 audit(1311107387.404:18): avc: denied { use } for pid=2211
comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd
That is neat! so /selinux/null is the same thing as /dev/null. When
a task exec's a new task and the child does not have permission to an
open fd the kernel will close the fd and open /selinux/null in it's
place. In this case it's not the label on the actual inode that is a
problem but it is instead the label on the fd. at some point
ifconfig_t was passed an fd it couldn't use and the kernel replaced it
with /selinux/null. ifconfig then leaked that fd onto wpa_supplicant.
I decided to track this down, and it is a little more complex than that:
When the kernel reopens an fd as /selinux/null, this happens before
the context change, so the fd gets the label of the old task.
So in this instance, the fd was leaked from ifconfig to a script
running as wpa_cli_t. The fd turned out to be /dev/console, coming
from init; wpa_cli_t has init_use_fds but only
term_dontaudit_use_console, so the fd was silently changed to
/selinux/null at this point.
(As Dan pointed out, the transitions ifconfig_t -> wpa_cli_t ->
NetworkManager_t are not in refpolicy but they are in my policy.)
Best wishes,
Martin
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
