Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> writes: > On 8/26/20 10:46 AM, Stephen Smalley wrote: >> On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito >> <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: >>> >>> On 8/26/20 9:25 AM, Chris PeBenito wrote: >>>> I was looking into this dbus-broker audit message, which has the wrong audit type: >>>> >>>> audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 >>>> subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice >>>> (seqno=2) >>>> >>>> This is due to dbus-broker setting their avc log callback to send USER_AVC audit >>>> messages for everything that comes to the libselinux log callback. I think the >>>> right thing to do there is to change it to emit USER_SELINUX_ERR audit messages >>>> if the log message is SELINUX_ERROR, otherwise log the message using their >>>> regular method (stderr I think). >>>> >>>> But the question became, why is the userspace AVC not simply emitting its own >>>> USER_MAC_POLICY_LOAD audit message instead of sending a message to the log >>>> callback? >>> >>> Ok, I missed that there is a SELINUX_AVC log type and that's how the userspace >>> denial messages are sent out. How about adding SELINUX_POLICYLOAD and >>> SELINUX_ENFORCE log types so that callers can emit appropriate audit messages? >> Do we need two different new types or just one? Otherwise, I don't >> have a problem with adding new ones as long as it doesn't break >> existing applications. > > Regarding the risk of breaking existing applications, I did some > checking on some userspace AVC users and what they do in their log > callback: > > * systemd only audits SELINUX_AVC and SELINUX_ERROR messages and > ignores others(as Petr noted) > * xorg-server audits SELINUX_AVC correctly but audits SELINUX_INFO as > USER_MAC_POLICY_LOAD and everything else it ignores the type and > audits as AUDIT_USER_SELINUX_ERR > * dbus-broker ignores type and audits everything as USER_AVC > * dbus-service ignores type and audits everything as USER AVC > * pam: pam_rootok ignores type and audits everything as USER_AVC > * sepgsql custom AVC implementation (this was news to me) > * shadow-utils only audits SELINUX_AVC and SELINUX_ERROR messages and > others go to syslog > * cronie: no callback set > > That's all the ones I could think of. Which ones am I missing? Probably libreswan, AFAIK that one might also still be using avc_has_perm() instead of selinux_check_access(). -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
