On Fri, 15 Feb 2013 09:28:06 -0500
Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> So, just to be clear, you are saying that avc_has_perm_noaudit() is
> getting a denial (i.e. denied != 0) but you are never getting an avc
> denied message even with no dontaudit rules?
I know this sounds strange, but that's exactly what it looks like to me
at the moment. (I'm a SELinux beginner, though)
> You could call slow_avc_audit() directly to display the arguments in
> a meaningful format.
I did the following in hooks.c:
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+ if (rc == -13)
+ {
+ printk(KERN_ERR "avc_has_perm_noaudit(%u, %u, %u, %u, 0, &avd)", sid, isec->sid, isec->sclass, perms);
+ slow_avc_audit(sid, isec->sid, isec->sclass, perms, 1, 1, NULL, 0);
+ }
But that also didn't yield any audit messages. The printk call works, however.
To be honest, I don't know exactly what to fill in for the last 4 arguments.
The call chain leading there is
cgroup_addrm_files
cgroup_add_file
lookup_one_len
inode_permission
__inode_permission
security_inode_permission
selinux_inode_permission
Inside selinux_inode_permission, avc_has_perm_noaudit returns -ENOACCES
and avc_audit_required returns 0.
Attachment:
signature.asc
Description: PGP signature
