Re: Avc denies while running in Permissive mode...

[Eric Paris <eparis@redhat.com>]

On Thu, 2008-12-18 at 08:57 -0500, Stephen Smalley wrote:
> On Thu, 2008-12-18 at 15:30 +1100, James Morris wrote:
> > On Wed, 17 Dec 2008, Stephen Smalley wrote:
> > 
> > > In permissive mode, when a permission would be denied for a given
> > > (source context, target context, target class) triple for the first
> > > time, the kernel audits the denial (avc:  denied) and then adds that
> > > permission to the allowed vector for that triple in the AVC (access
> > > vector cache).  Thus, subsequent uses of that same permission on that
> > > same triple will not trigger further denials until the cache entry is
> > > evicted from the cache (which can happen automatically if we need to
> > > free up space for use by other entries or explicitly upon either a
> > > policy reload or changing a policy boolean).
> > 
> > What about adding a kernel option (say, selinux_permissive_debug), which 
> > causes the permission update to be bypassed, but still allows the 
> > operation?
> > 
> > Something like:
> > 
> > int avc_has_perm_noaudit(...)
> > {
> > 
> > 	...
> > 
> >         if (denied) {
> >                 if (flags & AVC_STRICT)
> >                         rc = -EACCES;
> >                 else if (!selinux_enforcing || security_permissive_sid(ssid))
> > 			if (!selinux_permissive_debug)
> > 				avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
> >                                 	        tsid, tclass);
> >                 else
> >                         rc = -EACCES;
> >         }
> > 
> > 	...
> > }
> 
> Yes, that was what I had in mind, although Eric seems to think we can
> get by via existing auditallow and/or syscall audit mechanisms.
> 
> Such an option could have its initial value specified via kernel config
> or via boot parameter (so that one can boot a kernel in this state
> initially and collect all avc messages in permissive) and the value
> could subsequently be changed via a new selinuxfs node.

The only point of this new impossible to find and twittle flag would be
to get notification of what would have been denied.  I think I gave 2
ways to get such notification and you already get one "correct" denial
which audit2allow will be able to translate.  What tools really
differentiate between one denial and 1000?  Setroubleshoot I guess sorta
does...

I know in the past I've wished something like this flag was present, so
I'm not going to stand in the way, but it seems to me like one can
already get the info and we are just cluttering the kernel code so we
can get the same info another way....

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.