Re: Permissive mode for xace is broken.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Eamon Walsh <ewalsh@tycho.nsa.gov>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Daniel J Walsh <dwalsh@redhat.com>,
	SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Permissive mode for xace is broken.
Date: Mon, 17 Mar 2008 16:11:08 -0400	[thread overview]
Message-ID: <200803171611.08351.sgrubb@redhat.com> (raw)
In-Reply-To: <47C767B4.7060606@tycho.nsa.gov>

On Thursday 28 February 2008 21:02:28 Eamon Walsh wrote:
> Steve Grubb wrote:
> > On Thursday 28 February 2008 13:51:05 Stephen Smalley wrote:
> >> On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
> >>> Stephen Smalley wrote:
> >>>> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
> >>>>> Eamon Walsh wrote:
> >>>>>> The X object manager logs all avc's and status messages (including
> >>>>>> the AVC netlink stuff) through the audit system using libaudit calls
> >>>>>> (audit_log_user_avc_message, etc.)
> >
> > Please tell me they have different record types. Also do you have any
> > samples that we can look over to make sure they conform?
>
> type=USER_AVC msg=audit(1204226161.048:268): user pid=21267 uid=0
> auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
> msg='avc:  denied  { read } for request=X11:QueryPointer
> comm=/usr/libexec/at-spi-registryd xdevice="Virtual core pointer"
> scontext=staff_u:staff_r:staff_t:s0
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=x_device :
> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'

comm & xdevice are not escaped the right way. exe is. The audit utilities are 
expecting the comm field to be comm="/usr/libexec/at-spi-registryd" in this 
case. The standard has been untrusted fields have " " enclosing the field. 
Whenever there is a space, double quote, or control character, its ASCII HEX 
encoded with no quotes. xdevice is not a field that the audit system knows 
about, so we could do something different with it, but comm is known for a 
long time and has to follow the standards.

Also, is there any information about who caused the event? uid, auid, gid? 
Even though this was a denied action, what is the results? Were they 
successful (permissive) or was it really a failed and denied request?

Would it make sense to fill in the workspace:window information for the 
terminal? If X is being used remotely, is the addr & hostname fields correct?

That's the only things I notice at this point.

-Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-03-17 20:11 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-25 14:09 Permissive mode for xace is broken Daniel J Walsh
2008-02-25 14:12 ` Stephen Smalley
2008-02-25 14:24   ` Stephen Smalley
2008-02-25 14:48     ` Daniel J Walsh
2008-02-25 18:49       ` Stephen Smalley
2008-02-25 19:28         ` Daniel J Walsh
2008-02-25 20:12           ` Daniel J Walsh
2008-02-25 22:04             ` Eamon Walsh
2008-02-25 20:33           ` Eamon Walsh
2008-02-26  1:12             ` Eamon Walsh
2008-02-26 12:59               ` Stephen Smalley
2008-02-26 13:09                 ` Daniel J Walsh
2008-02-27  2:31                   ` Eamon Walsh
     [not found]                     ` <FD5B0C7C-60A9-46F4-8986-A8EB31BABDC8@nall.com>
2008-02-27  3:46                       ` Eamon Walsh
2008-02-28 18:48                 ` Eamon Walsh
2008-02-28 18:51                   ` Stephen Smalley
2008-02-28 19:00                     ` Daniel J Walsh
2008-02-28 21:17                     ` Steve Grubb
2008-02-28 21:34                       ` Daniel J Walsh
2008-02-29  1:58                       ` Eamon Walsh
2008-02-29  2:02                       ` Eamon Walsh
2008-03-17 20:11                         ` Steve Grubb [this message]
2008-03-20  3:56                           ` Eamon Walsh
2008-02-26 14:34               ` Daniel J Walsh
  -- strict thread matches above, loose matches on Subject: below --
2008-03-24 15:55 Steve G
2008-03-24 19:59 ` Stephen Smalley
2008-03-24 20:28   ` Steve Grubb
2008-03-27 20:08 ` Eamon Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200803171611.08351.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=dwalsh@redhat.com \
    --cc=ewalsh@tycho.nsa.gov \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.