Re: [PATCH] audit validatetrans denials

[Darrel Goeddel <dgoeddel@TrustedCS.com>]

[-- Attachment #1: Type: text/plain, Size: 515 bytes --]

Stephen Smalley wrote:
> One other question:  At present, you won't perform any such auditing
> when in permissive mode, as you bail out of
> security_validate_transition() immediately in that case.  Do you want
> instead to handle this more like security_compute_sid(), i.e. always
> auditing the denial but only returning an error if enforcing? 
> Otherwise, you won't even see such denials if you are doing any kind of
> policy development in permissive mode.
> 

Good catch.  Version 3 attached...

-- 

Darrel

[-- Attachment #2: validtrans_audit.patch3 --]
[-- Type: text/plain, Size: 2324 bytes --]

diff -ruNp linux-2.6-nsa-20050215/security/selinux/ss/services.c linux-2.6-20050217/security/selinux/ss/services.c
--- linux-2.6-nsa-20050215/security/selinux/ss/services.c	2005-01-27 16:48:31.000000000 -0600
+++ linux-2.6-20050217/security/selinux/ss/services.c	2005-02-17 12:50:22.000000000 -0600
@@ -64,6 +64,10 @@ int ss_initialized = 0;
  */
 static u32 latest_granting = 0;
 
+/* Forward declarations. */
+int context_struct_to_string(struct context *context, char **scontext,
+                             u32 *scontext_len);
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -347,6 +351,34 @@ static int context_struct_compute_av(str
 	return 0;
 }
 
+static int security_validtrans_handle_fail(struct context *ocontext,
+                                           struct context *ncontext,
+                                           struct context *tcontext,
+                                           u16 tclass)
+{
+	char *o = NULL, *n = NULL, *t = NULL;
+	u32 olen, nlen, tlen;
+
+	if (context_struct_to_string(ocontext, &o, &olen) < 0)
+		goto out;
+	if (context_struct_to_string(ncontext, &n, &nlen) < 0)
+		goto out;
+	if (context_struct_to_string(tcontext, &t, &tlen) < 0)
+		goto out;
+	audit_log(current->audit_context,
+	          "security_validate_transition:  denied for"
+	          " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
+	          o, n, t, policydb.p_class_val_to_name[tclass-1]);
+out:
+	kfree(o);
+	kfree(n);
+	kfree(t);
+
+	if (!selinux_enforcing)
+		return 0;
+	return -EPERM;
+}
+
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                  u16 tclass)
 {
@@ -357,7 +389,7 @@ int security_validate_transition(u32 old
 	struct constraint_node *constraint;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_enforcing)
+	if (!ss_initialized)
 		return 0;
 
 	POLICY_RDLOCK;
@@ -409,7 +441,8 @@ int security_validate_transition(u32 old
 	while (constraint) {
 		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
 		                          constraint->expr)) {
-			rc = -EPERM;
+			rc = security_validtrans_handle_fail(ocontext, ncontext,
+			                                     tcontext, tclass);
 			goto out;
 		}
 		constraint = constraint->next;