* [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags
@ 2017-04-24 13:09 Richard Haines
2017-04-24 14:06 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2017-04-24 13:09 UTC (permalink / raw)
To: selinux
Only wanted the avd flags to check whether the domain was permissive
or not using an selinux_check_access() type call.
As a consequence of implementing selinux_check_access_flags, additional
calls have been added to avc.c: avc_has_perm_flags() and
avc_has_perm_noaudit_flags(). Added man page entries for them but not sure
if they should be hidden.
Richard Haines (1):
libselinux: Add support for selinux_check_access_flags
libselinux/include/selinux/avc.h | 68 +++++++
libselinux/include/selinux/selinux.h | 32 +++
libselinux/man/man3/avc_has_perm.3 | 37 +++-
libselinux/man/man3/security_compute_av.3 | 21 +-
libselinux/man/man3/selinux_check_access_flags.3 | 1 +
libselinux/src/avc.c | 44 ++++-
libselinux/src/avc_internal.h | 1 +
libselinux/src/checkAccess.c | 63 +++---
libselinux/utils/.gitignore | 2 +
libselinux/utils/avc_has_perm.c | 235 +++++++++++++++++++++++
libselinux/utils/selinux_check_access.c | 189 ++++++++++++++++++
11 files changed, 660 insertions(+), 33 deletions(-)
create mode 100644 libselinux/man/man3/selinux_check_access_flags.3
create mode 100644 libselinux/utils/avc_has_perm.c
create mode 100644 libselinux/utils/selinux_check_access.c
--
2.9.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags
2017-04-24 13:09 [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags Richard Haines
@ 2017-04-24 14:06 ` Stephen Smalley
2017-04-24 15:02 ` Richard Haines
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2017-04-24 14:06 UTC (permalink / raw)
To: Richard Haines, selinux
On Mon, 2017-04-24 at 14:09 +0100, Richard Haines wrote:
> Only wanted the avd flags to check whether the domain was permissive
> or not using an selinux_check_access() type call.
Why? What's the intended user?
>
> As a consequence of implementing selinux_check_access_flags,
> additional
> calls have been added to avc.c: avc_has_perm_flags() and
> avc_has_perm_noaudit_flags(). Added man page entries for them but not
> sure
> if they should be hidden.
>
> Richard Haines (1):
> libselinux: Add support for selinux_check_access_flags
>
> libselinux/include/selinux/avc.h | 68 +++++++
> libselinux/include/selinux/selinux.h | 32 +++
> libselinux/man/man3/avc_has_perm.3 | 37 +++-
> libselinux/man/man3/security_compute_av.3 | 21 +-
> libselinux/man/man3/selinux_check_access_flags.3 | 1 +
> libselinux/src/avc.c | 44 ++++-
> libselinux/src/avc_internal.h | 1 +
> libselinux/src/checkAccess.c | 63 +++---
> libselinux/utils/.gitignore | 2 +
> libselinux/utils/avc_has_perm.c | 235
> +++++++++++++++++++++++
> libselinux/utils/selinux_check_access.c | 189
> ++++++++++++++++++
> 11 files changed, 660 insertions(+), 33 deletions(-)
> create mode 100644 libselinux/man/man3/selinux_check_access_flags.3
> create mode 100644 libselinux/utils/avc_has_perm.c
> create mode 100644 libselinux/utils/selinux_check_access.c
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags
2017-04-24 14:06 ` Stephen Smalley
@ 2017-04-24 15:02 ` Richard Haines
2017-04-24 15:50 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2017-04-24 15:02 UTC (permalink / raw)
To: Stephen Smalley, selinux
On Mon, 2017-04-24 at 10:06 -0400, Stephen Smalley wrote:
> On Mon, 2017-04-24 at 14:09 +0100, Richard Haines wrote:
> > Only wanted the avd flags to check whether the domain was
> > permissive
> > or not using an selinux_check_access() type call.
>
> Why? What's the intended user?
I was writing patches to update racoon and pluto to use
selinux_check_access in place of avc_open etc. As these programs also
log useful info I thought I would log the SELinux status (permissive
mode etc. etc. for debugging). The only thing missing was if they were
running in a permissive domain so I thought I would see if I could
retrieve this as well. With this patch I can check if permission
granted or not and also if permissive domain (provided of course the
call returned the avd flags).
The other way I thought of was add another entry to selinuxfs and pass
the context to kernel and get whether permissive domain or not.
Is there an easier way to detect a permissive domain without reading
the policy ?
>
> >
> > As a consequence of implementing selinux_check_access_flags,
> > additional
> > calls have been added to avc.c: avc_has_perm_flags() and
> > avc_has_perm_noaudit_flags(). Added man page entries for them but
> > not
> > sure
> > if they should be hidden.
> >
> > Richard Haines (1):
> > libselinux: Add support for selinux_check_access_flags
> >
> > libselinux/include/selinux/avc.h | 68 +++++++
> > libselinux/include/selinux/selinux.h | 32 +++
> > libselinux/man/man3/avc_has_perm.3 | 37 +++-
> > libselinux/man/man3/security_compute_av.3 | 21 +-
> > libselinux/man/man3/selinux_check_access_flags.3 | 1 +
> > libselinux/src/avc.c | 44 ++++-
> > libselinux/src/avc_internal.h | 1 +
> > libselinux/src/checkAccess.c | 63 +++---
> > libselinux/utils/.gitignore | 2 +
> > libselinux/utils/avc_has_perm.c | 235
> > +++++++++++++++++++++++
> > libselinux/utils/selinux_check_access.c | 189
> > ++++++++++++++++++
> > 11 files changed, 660 insertions(+), 33 deletions(-)
> > create mode 100644
> > libselinux/man/man3/selinux_check_access_flags.3
> > create mode 100644 libselinux/utils/avc_has_perm.c
> > create mode 100644 libselinux/utils/selinux_check_access.c
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags
2017-04-24 15:02 ` Richard Haines
@ 2017-04-24 15:50 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2017-04-24 15:50 UTC (permalink / raw)
To: Richard Haines, selinux
On Mon, 2017-04-24 at 16:02 +0100, Richard Haines wrote:
> On Mon, 2017-04-24 at 10:06 -0400, Stephen Smalley wrote:
> > On Mon, 2017-04-24 at 14:09 +0100, Richard Haines wrote:
> > > Only wanted the avd flags to check whether the domain was
> > > permissive
> > > or not using an selinux_check_access() type call.
> >
> > Why? What's the intended user?
>
> I was writing patches to update racoon and pluto to use
> selinux_check_access in place of avc_open etc. As these programs also
> log useful info I thought I would log the SELinux status (permissive
> mode etc. etc. for debugging). The only thing missing was if they
> were
> running in a permissive domain so I thought I would see if I could
> retrieve this as well. With this patch I can check if permission
> granted or not and also if permissive domain (provided of course the
> call returned the avd flags).
>
> The other way I thought of was add another entry to selinuxfs and
> pass
> the context to kernel and get whether permissive domain or not.
>
> Is there an easier way to detect a permissive domain without reading
> the policy ?
Why not just mirror what we did in the kernel and add permissive=0|1 to
the avc: denied messages? avc_audit() already has the necessary
information; you don't need to export it outside of the AVC.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-24 15:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-24 13:09 [RFC PATCH 0/1] libselinux: Add support for selinux_check_access_flags Richard Haines
2017-04-24 14:06 ` Stephen Smalley
2017-04-24 15:02 ` Richard Haines
2017-04-24 15:50 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.