All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>,
	KaiGai Kohei <kaigai@ak.jp.nec.com>,
	James Morris <jmorris@namei.org>,
	selinux@tycho.nsa.gov, Eamon Walsh <ewalsh@tycho.nsa.gov>
Subject: Re: type bounds audit messages
Date: Wed, 17 Jun 2009 09:10:54 -0400	[thread overview]
Message-ID: <4A38EB5E.9080903@redhat.com> (raw)
In-Reply-To: <1245172731.2512.53.camel@localhost.localdomain>

On 06/16/2009 01:18 PM, Stephen Smalley wrote:
> On Tue, 2009-06-16 at 11:19 -0400, Daniel J Walsh wrote:
>> On 06/16/2009 10:55 AM, Eric Paris wrote:
>>> On Tue, 2009-06-16 at 10:40 -0400, Steve Grubb wrote:
>>>> On Tuesday 16 June 2009 10:26:46 am Eric Paris wrote:
>>>>> On Tue, 2009-06-16 at 09:43 +0900, KaiGai Kohei wrote:
>>>>>> Stephen Smalley wrote:
>>>>>>
>>>>>> For example, how do you feel the example on security_compute_av() time?
>>>>>>
>>>>>> type=SELINUX_INFO msg=audit(1245046106.725:65):       \
>>>>>>     op=security_compute_av masked=bounds                \
>>>>>>     scontext=system_u:system_r:user_webapp_t:s0         \
>>>>>>     tcontext=system_u:object_r:httpd_sys_content_t:s0   \
>>>>>>     tclass=file { setattr write }
>>>>>
>>>>> I feel good for all but the { setattr write }
>>>>>
>>>>> It's a new message, we have no parsers which need the old format, how
>>>>> would others feel about
>>>>>
>>>>> perm="setattr,write"   ?
>>>>
>>>> I'd recommend losing the quotes. I think you are doing this because of
>>>> untrusted_string, but I doubt the user can influence this.
>>>
>>> I'm starting to buy into the 'quotes makes it easy to know it's a
>>> string' argument from jdennis.  Figure these are low volume and it
>>> doesn't hurt.  (audit_log_string was actually what I was thinking, not
>>> 'untrustedstring')
>>>
>>>> But I am also wondering if SELINUX_INFO is the most descriptive type name for
>>>> what the record really means? Does this also result in a syscall record if
>>>> audit is enabled?
>>>
>>> Haven't seen the code   :)
>>>
>>> -Eric
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>> I agree name value pairs is excellent, then we can cleanup the tools
>> that analyze the avcs.  And what is an SELINUX_INFO, if this is a denial
>> it should be a AVC.
>
> It isn't an AVC.  It is an internal inconsistency within the policy,
> where an allow rule gave a child type more permissions than its parent.
> It would be caught at policy link/expand time if expand-check=1 were
> enabled in semanage.conf (same as neverallows), but will be caught at
> runtime otherwise during compute_av processing.
>
> It may later lead to an AVC if/when the particular permission is
> checked.
>
OK, I misunderstood.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2009-06-17 13:10 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1244730288.10762.120.camel@localhost.localdomain>
     [not found] ` <4A31A33F.2040504@ak.jp.nec.com>
     [not found]   ` <1244807594.18947.62.camel@localhost.localdomain>
2009-06-15  6:56     ` type bounds audit messages KaiGai Kohei
2009-06-15 13:17       ` Eric Paris
2009-06-15 14:01         ` Stephen Smalley
2009-06-15 14:14           ` Eric Paris
2009-06-16  0:43           ` KaiGai Kohei
2009-06-16 14:26             ` Eric Paris
2009-06-16 14:40               ` Steve Grubb
2009-06-16 14:55                 ` Eric Paris
2009-06-16 15:19                   ` Daniel J Walsh
2009-06-16 17:18                     ` Stephen Smalley
2009-06-17 13:10                       ` Daniel J Walsh [this message]
2009-06-16 15:23                   ` Steve Grubb
2009-06-16 15:30                     ` Daniel J Walsh
2009-06-16 15:41                     ` Eric Paris
2009-06-17  4:35                       ` KaiGai Kohei
2009-06-17 12:53                         ` Stephen Smalley
2009-06-18  8:26                           ` KaiGai Kohei
2009-06-18 12:50                             ` Stephen Smalley
2009-06-18 14:18                             ` James Morris
2009-06-18  8:35                           ` KaiGai Kohei
2009-06-18 12:54                             ` Stephen Smalley
2009-06-15 14:08         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A38EB5E.9080903@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=eparis@redhat.com \
    --cc=ewalsh@tycho.nsa.gov \
    --cc=jmorris@namei.org \
    --cc=kaigai@ak.jp.nec.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.