Hello,
I have also modified one more function, test is underway. Please find the code attached. It is taking a bit more time to compile. Thank you for your patience.static noinline int avc_denied(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
unsigned flags,
struct av_decision *avd)
{
if (flags & AVC_STRICT)
return 0;
//return -EACCES;
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
return 0;
//return -EACCES;
avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
tsid, tclass, avd->seqno);
return 0;
}
On Sat, Apr 19, 2014 at 8:06 PM, Kernel freak <kernelfreak@xxxxxxxxx> wrote:
AVC log :Hello,As discussed in the thread before, avc_has_perm() and its variants are responsible to check if access is there in cache. If missing, then the policy is queried. What I did in the avc.c file(file is attached), I returned rc=0 all the time. Still there are AVC denials. Can anyone tell me how it is possible and where the denials are coming from. I am pasting some log also below. Please check out. Thank you for your time.
type=SYSCALL msg=audit(1397930313.086:269925): arch=c000003e syscall=2 success=yes exit=12 a0=8918e0 a1=0 a2=1b6 a3=7f9450d02ed0 items=0 ppid=1390 pid=1556 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="unity-panel-ser" exe="/usr/lib/unity/unity-panel-service" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1397930313.086:269925): avc: denied { read } for pid=1556 comm="unity-panel-ser" name="network-transmit-receive.svg" dev="sdb1" ino=4860464 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
----
time->Sat Apr 19 19:58:33 2014
type=SYSCALL msg=audit(1397930313.086:269926): arch=c000003e syscall=21 success=no exit=-2 a0=15bbe1c a1=0 a2=0 a3=0 items=0 ppid=1390 pid=1545 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="hud-service" exe="/usr/lib/x86_64-linux-gnu/hud/hud-service" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1397930313.086:269926): avc: denied { search } for pid=1545 comm="hud-service" name="indicator-appmenu" dev="sdb1" ino=393355 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1397930313.086:269926): avc: denied { search } for pid=1545 comm="hud-service" name=".cache" dev="sdb1" ino=393223 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
----
time->Sat Apr 19 19:58:33 2014
type=SYSCALL msg=audit(1397930313.086:269927): arch=c000003e syscall=21 success=no exit=-2 a0=15bbe5f a1=0 a2=0 a3=0 items=0 ppid=1390 pid=1545 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="hud-service" exe="/usr/lib/x86_64-linux-gnu/hud/hud-service" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1397930313.086:269927): avc: denied { search } for pid=1545 comm="hud-service" name="indicator-appmenu" dev="sdb1" ino=393355 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1397930313.086:269927): avc: denied { search } for pid=1545 comm="hud-service" name=".cache" dev="sdb1" ino=393223 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
----
time->Sat Apr 19 19:58:33 2014
type=SYSCALL msg=audit(1397930313.086:269928): arch=c000003e syscall=21 success=no exit=-2 a0=15bbe1c a1=0 a2=0 a3=0 items=0 ppid=1390 pid=1545 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="hud-service" exe="/usr/lib/x86_64-linux-gnu/hud/hud-service" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1397930313.086:269928): avc: denied { search } for pid=1545 comm="hud-service" name="indicator-appmenu" dev="sdb1" ino=393355 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1397930313.086:269928): avc: denied { search } for pid=1545 comm="hud-service" name=".cache" dev="sdb1" ino=393223 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
----
time->Sat Apr 19 19:58:33 2014
type=SYSCALL msg=audit(1397930313.086:269929): arch=c000003e syscall=21 success=no exit=-2 a0=15bbe5f a1=0 a2=0 a3=0 items=0 ppid=1390 pid=1545 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="hud-service" exe="/usr/lib/x86_64-linux-gnu/hud/hud-service" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1397930313.086:269929): avc: denied { search } for pid=1545 comm="hud-service" name="indicator-appmenu" dev="sdb1" ino=393355 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1397930313.086:269929): avc: denied { search } for pid=1545 comm="hud-service" name=".cache" dev="sdb1" ino=393223 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
On Thu, Apr 17, 2014 at 7:58 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
FWIW, I unsubscribed and banned bochen from the list for that completely
off-topic reply to this thread. Don't respond to it, please.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
