On Wed, 2020-08-26 at 15:15 -0400, Chris PeBenito wrote:
On 8/26/20 3:07 PM, Dominick Grift wrote:
Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> writes:
On 8/26/20 10:46 AM, Stephen Smalley wrote:
On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito
<chpebeni@xxxxxxxxxxxxxxxxxxx> wrote:
On 8/26/20 9:25 AM, Chris PeBenito wrote:
I was looking into this dbus-broker audit message, which
has the wrong audit type:
audit[422]: USER_AVC pid=422 uid=999 auid=4294967295
ses=4294967295
subj=system_u:system_r:system_dbusd_t msg='avc: received
policyload notice
(seqno=2)
This is due to dbus-broker setting their avc log callback
to send USER_AVC audit
messages for everything that comes to the libselinux log
callback. I think the
right thing to do there is to change it to emit
USER_SELINUX_ERR audit messages
if the log message is SELINUX_ERROR, otherwise log the
message using their
regular method (stderr I think).
But the question became, why is the userspace AVC not
simply emitting its own
USER_MAC_POLICY_LOAD audit message instead of sending a
message to the log
callback?
Ok, I missed that there is a SELINUX_AVC log type and that's
how the userspace
denial messages are sent out. How about adding
SELINUX_POLICYLOAD and
SELINUX_ENFORCE log types so that callers can emit
appropriate audit messages?
Do we need two different new types or just one? Otherwise, I
don't
have a problem with adding new ones as long as it doesn't break
existing applications.
Regarding the risk of breaking existing applications, I did some
checking on some userspace AVC users and what they do in their
log
callback:
* systemd only audits SELINUX_AVC and SELINUX_ERROR messages and
ignores others(as Petr noted)
* xorg-server audits SELINUX_AVC correctly but audits
SELINUX_INFO as
USER_MAC_POLICY_LOAD and everything else it ignores the type
and
audits as AUDIT_USER_SELINUX_ERR
* dbus-broker ignores type and audits everything as USER_AVC
* dbus-service ignores type and audits everything as USER AVC
* pam: pam_rootok ignores type and audits everything as USER_AVC
* sepgsql custom AVC implementation (this was news to me)
* shadow-utils only audits SELINUX_AVC and SELINUX_ERROR messages
and
others go to syslog
* cronie: no callback set
That's all the ones I could think of. Which ones am I missing?
Probably libreswan, AFAIK that one might also still be using
avc_has_perm() instead of selinux_check_access().
You're correct, it is still use avc_has_perm(). There is no log
callback set here.
ipsec-tools (racoon) is another. I did patches for this and LibreSwan a
few years ago, they never went far:
ipsec-tools:
https://marc.info/?l=ipsec-tools-devel&m=149441917501329&w=2
LibreSwan:
https://lists.libreswan.org/pipermail/swan-dev/2017-May/001860.html
