Well, you could use a static variable ala printk_once in the kernel;
would only happen once per program rather than once per unique denial,
but there is no real way to do that short of introducing an AVC entry
for an undefined class...
On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:
> selinux_check_access() has code like this:
>
> sclass = string_to_security_class(class);
> if (sclass == 0) {
> rc = errno;
> if (security_deny_unknown() == 0)
> return 0;
> errno = rc;
> return -1;
> }
>
> My problem with the code is that we have no logging of any kind why we
> just returned -1; The reason this was found is because Dominick is
> writing custom policy that doesn't define all of the classes/perms
> used by systemd and has security_deny_unknown() == 1. systemd calls
> selinux_check_access() gets -EINVAL, prints that it denied, but no
> where do we have a good reason why it was denied. systemd doesn't
> know, it's hidden in this library...
>
> A good first step would be to call avc_log(SELINUX_ERR, ...) in the
> case where we return an error. But what do we do in the
> security_deny_unknown() == 0 case? I'd still like to call avc_log,
> but only do it once rather than flood our logs. Any suggestions how
> to pull that off?
>
> -Eric
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
