Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> writes: > On 8/26/20 3:07 PM, Dominick Grift wrote: >> Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> writes: >> >>> On 8/26/20 10:46 AM, Stephen Smalley wrote: >>>> On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito >>>> <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: >>>>> >>>>> On 8/26/20 9:25 AM, Chris PeBenito wrote: >>>>>> I was looking into this dbus-broker audit message, which has the wrong audit type: >>>>>> >>>>>> audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 >>>>>> subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice >>>>>> (seqno=2) >>>>>> >>>>>> This is due to dbus-broker setting their avc log callback to send USER_AVC audit >>>>>> messages for everything that comes to the libselinux log callback. I think the >>>>>> right thing to do there is to change it to emit USER_SELINUX_ERR audit messages >>>>>> if the log message is SELINUX_ERROR, otherwise log the message using their >>>>>> regular method (stderr I think). >>>>>> >>>>>> But the question became, why is the userspace AVC not simply emitting its own >>>>>> USER_MAC_POLICY_LOAD audit message instead of sending a message to the log >>>>>> callback? >>>>> >>>>> Ok, I missed that there is a SELINUX_AVC log type and that's how the userspace >>>>> denial messages are sent out. How about adding SELINUX_POLICYLOAD and >>>>> SELINUX_ENFORCE log types so that callers can emit appropriate audit messages? >>>> Do we need two different new types or just one? Otherwise, I don't >>>> have a problem with adding new ones as long as it doesn't break >>>> existing applications. >>> >>> Regarding the risk of breaking existing applications, I did some >>> checking on some userspace AVC users and what they do in their log >>> callback: >>> >>> * systemd only audits SELINUX_AVC and SELINUX_ERROR messages and >>> ignores others(as Petr noted) >>> * xorg-server audits SELINUX_AVC correctly but audits SELINUX_INFO as >>> USER_MAC_POLICY_LOAD and everything else it ignores the type and >>> audits as AUDIT_USER_SELINUX_ERR >>> * dbus-broker ignores type and audits everything as USER_AVC >>> * dbus-service ignores type and audits everything as USER AVC >>> * pam: pam_rootok ignores type and audits everything as USER_AVC >>> * sepgsql custom AVC implementation (this was news to me) >>> * shadow-utils only audits SELINUX_AVC and SELINUX_ERROR messages and >>> others go to syslog >>> * cronie: no callback set >>> >>> That's all the ones I could think of. Which ones am I missing? >> Probably libreswan, AFAIK that one might also still be using >> avc_has_perm() instead of selinux_check_access(). > > You're correct, it is still use avc_has_perm(). There is no log callback set here. glibc nscd (also seems to be still using avc_has_perm()) -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
