From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 930D0C28CBC for ; Sun, 3 May 2020 07:52:50 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 57DC62078E for ; Sun, 3 May 2020 07:52:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 57DC62078E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces+kernelnewbies=archiver.kernel.org@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.92.3) (envelope-from ) id 1jV9Qf-0006Lo-CX for kernelnewbies@archiver.kernel.org; Sun, 03 May 2020 03:52:49 -0400 Received: from omr2.cc.ipv6.vt.edu ([2607:b400:92:8400:0:33:fb76:806e] helo=omr2.cc.vt.edu) by shelob.surriel.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1jV9On-0003tx-CX for kernelnewbies@kernelnewbies.org; Sun, 03 May 2020 03:50:53 -0400 Received: from mr1.cc.vt.edu (mr1.cc.ipv6.vt.edu [IPv6:2607:b400:92:8300:0:31:1732:8aa4]) by omr2.cc.vt.edu (8.14.4/8.14.4) with ESMTP id 0437op9b019184 for ; Sun, 3 May 2020 03:50:52 -0400 Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by mr1.cc.vt.edu (8.14.7/8.14.7) with ESMTP id 0437okFj021551 for ; Sun, 3 May 2020 03:50:51 -0400 Received: by mail-qt1-f197.google.com with SMTP id v18so16820388qtq.22 for ; Sun, 03 May 2020 00:50:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :mime-version:content-transfer-encoding:date:message-id; bh=4O/pku9uo/qnddxXJ7DC/sxN5xwsjQnZhfAo77XawJw=; b=nCDxOipJlVWjE3XrQIBac1xfXg9T6cVMdRtKu0fljKR6rgoXW6vjxEloseQ0qFM6TR MeAdCuF3a+OPQvzQTHaXlwVAst6m+1MAnG0Nzt0pjmEsW8o1vIkqB3NCxaIu8XyySpJ7 A9yzjSsTZNH8q2P7aNBs4rMtDfPj5bGCEaV+TTGmEaI7Axx8gvwOoYLItFxDfc2/fFRp R6hD2hLoGXKYWVoWIn+vhg4N1xT595B9tBPHw5LCXkxQVxR3+T6Iqti52Ag4IX87oe0i XXKOuoBsoM5ZuOsKS13hazS3hDFA1nZSS1y2GECGvLTto+tUTpJN7UlkD7w8P0TifQki /kmg== X-Gm-Message-State: AGi0PuZQ9ZHV5XP5FkJxxuIA7sAON3/YCB1sIoS07ZWji4LwLp5s15qN DgdFkv364z6rWfJTc/7OkGEJRSuKDguQT8pBdJ7EUhQIQiJ0v29R2SuBwHajSGP5Uu4FtuH61Ky AUwYuz+OPVpTK7Roi0LTIERexlxW0GyvyuUsq3w8= X-Received: by 2002:aed:3aa3:: with SMTP id o32mr12023085qte.364.1588492245315; Sun, 03 May 2020 00:50:45 -0700 (PDT) X-Google-Smtp-Source: APiQypIMPV+xzdtWwn1/zvaSuzqPaMbdyZVNLYvfw9yXODdEuFm0MIBcOICt6HJez6+iX8Jv2WNO0Q== X-Received: by 2002:aed:3aa3:: with SMTP id o32mr12023078qte.364.1588492245001; Sun, 03 May 2020 00:50:45 -0700 (PDT) Received: from turing-police ([2601:5c0:c001:c9e1::359]) by smtp.gmail.com with ESMTPSA id s15sm7656363qtc.31.2020.05.03.00.50.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2020 00:50:43 -0700 (PDT) From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Google-Original-From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev To: noloader@gmail.com Subject: Re: SElinux and its own error code? In-Reply-To: References: Mime-Version: 1.0 Date: Sun, 03 May 2020 03:50:42 -0400 Message-ID: <167275.1588492242@turing-police> Cc: kernelnewbies X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============3352931580494697606==" Errors-To: kernelnewbies-bounces+kernelnewbies=archiver.kernel.org@kernelnewbies.org --===============3352931580494697606== Content-Type: multipart/signed; boundary="==_Exmh_1588492242_4555P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1588492242_4555P Content-Type: text/plain; charset=us-ascii On Sat, 02 May 2020 23:55:02 -0400, Jeffrey Walton said: > I lost about four hours chasing inaccurate messages from Apache. It > turns out SElinux was denying access, so the EPERM was not really > accurate. But Apache saw EPERM or EACCESS and logged a message related > to Posix permissions. No, you had a permission problem. It isn't strictly confined to only Posix permissions. Note that if you use ACLs, you'll also get an EPERM if you don't have access. > As far as I know Posix does not authorize use of EPERM or EACCESS for > SElinux. That is, SElinux should not be hijacking the error code. And where exactly does Posix say that EPERM is *only* for permission issues with the user/group/world bits? (Hint: you can get EPERM for a program that creates a socket and then tries to bind to the broadcast address for the interface, or if iptables rejected the request). > I'm wondering why there is no error message for SElinux that would > allow application to return a specific error when SElinux denies > access to an object or operation. And why would that be useful? What could a program do differently for a SELinux permission error than a Posix permission error? If the problem is that you don't know about the SELinux error messages, you should be learning about the auditd subsystem, setroubleshootd, sealert, and friends. > Why does SElinux not have its own error code? Among other things, it means that programs potentially have to have special-casing in the error handlers, which are *already* code that doesn't get fully tested in most cases. And then you have to add code for Smack permission problems, and for AppArmor permission problems, and Yama permission problems... Or you can just return -EPERM for all of them. --==_Exmh_1588492242_4555P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Comment: Exmh version 2.9.0 11/07/2018 iQIVAwUBXq530gdmEQWDXROgAQJT6g//T7Y8UzFE+2tAfYEjJFGdFThrzb/u/19G q9T6bznvl9kkstavaf+zYdVJuWKfjsoino+MP2JRQ7fQas8wrE0dtq6hhCbxse+O 5uWSB2Kjc27Bd3r59AHkjTP93nMUHOL0rwHI1PJI9+2pTYWXAzJ4I8BEc+/EIQDp UFNigh8Srhgit8bTqgsYx70TRtPn11XI8tCT6oNDnRpykRO1XoBU5ANLztKtaWXG gT1nxgWCTfnv3pUPf841Sry2zAOCK2cb0xny9ncaU83nqWut9nD8SDC/OVZg2niA mbptcsfvmjclSaT8q9PpD2SCsMf3TaHD4Xvx87uiBSzIehqQ3UMzcn1OWSHsB27r 9z28hhskftV8ZT5Ve8KxQSbh1X/K1/UwHEhfCZhW1PHFitMy35SgXJZoFRQvlgGy lnvpKd2p++G/KcyTcyJrqflZjj01F8doMbEUTK33nZqJrAacD1fbxBm67PJX0Hzi 9aIVZdWj0jrzIOD9uWb+QxGK3luyr2umYpeqy0lPQxPYge6Vajgbpwhl5azjVsty L7RZr6ZjVeBVLKgQIU7Ia25po/ZapeQk+ZrLViesTsvjj4mHuDqTq2lo5HL6j9WZ M80Up2iNuDVqGhn5+4ZDWjXDix1R3ZYO7pgy7MJAD6M9riOddbOp+2WvPNRN+N1+ ab2uL8ln984= =jY6H -----END PGP SIGNATURE----- --==_Exmh_1588492242_4555P-- --===============3352931580494697606== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============3352931580494697606==--