selinux_check_access() has code like this:
sclass = string_to_security_class(class);
if (sclass == 0) {
rc = errno;
if (security_deny_unknown() == 0)
return 0;
errno = rc;
return -1;
}
My problem with the code is that we have no logging of any kind why we
just returned -1; The reason this was found is because Dominick is
writing custom policy that doesn't define all of the classes/perms
used by systemd and has security_deny_unknown() == 1. systemd calls
selinux_check_access() gets -EINVAL, prints that it denied, but no
where do we have a good reason why it was denied. systemd doesn't
know, it's hidden in this library...
A good first step would be to call avc_log(SELINUX_ERR, ...) in the
case where we return an error. But what do we do in the
security_deny_unknown() == 0 case? I'd still like to call avc_log,
but only do it once rather than flood our logs. Any suggestions how
to pull that off?
-Eric
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
