Re: selinux_check_access() and unknown classes/perms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I would think an AVC entry for an undefined class would be a good idea.
On 04/29/2014 08:02 PM, Stephen Smalley wrote:
> Well, you could use a static variable ala printk_once in the kernel;
> would only happen once per program rather than once per unique denial,
> but there is no real way to do that short of introducing an AVC entry
> for an undefined class...
>
> On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:
>> selinux_check_access() has code like this:
>>
>>        sclass = string_to_security_class(class);
>>        if (sclass == 0) {
>>                rc = errno;
>>                if (security_deny_unknown() == 0)
>>                        return 0;
>>                errno = rc;
>>                return -1;
>>        }
>>
>> My problem with the code is that we have no logging of any kind why we
>> just returned -1;  The reason this was found is because Dominick is
>> writing custom policy that doesn't define all of the classes/perms
>> used by systemd and has security_deny_unknown() == 1.  systemd calls
>> selinux_check_access() gets -EINVAL, prints that it denied, but no
>> where do we have a good reason why it was denied.  systemd doesn't
>> know, it's hidden in this library...
>>
>> A good first step would be to call avc_log(SELINUX_ERR, ...) in the
>> case where we return an error.  But what do we do in the
>> security_deny_unknown() == 0 case?  I'd still like to call avc_log,
>> but only do it once rather than flood our logs.  Any suggestions how
>> to pull that off?
>>
>> -Eric
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
>

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux