Re: checking user status - Daniel J Walsh

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Larry Ross <selinux.larry@gmail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	selinux@tycho.nsa.gov, Steve Grubb <sgrubb@redhat.com>
Subject: Re: checking user status
Date: Tue, 18 Aug 2009 14:10:38 -0400	[thread overview]
Message-ID: <4A8AEE9E.1020102@redhat.com> (raw)
In-Reply-To: <81092d890908181015j71ce6b62tdc5f5251220d84a9@mail.gmail.com>

On 08/18/2009 01:15 PM, Larry Ross wrote:
> On Tue, Aug 18, 2009 at 5:39 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
>> On Tue, 2009-08-18 at 08:19 -0400, Stephen Smalley wrote:
>>> If this is another manifestation of the same problem, then the easiest
>>> approach would be to grab the libselinux .src.rpm, patch
>>> libselinux/src/checkAccess.c to syslog() a message whenever there is a
>>> denial, build and install your patched libselinux, and then retry and
>>> look for the log message.
>>
>> Something like this patch (un-tested, against the current upstream
>> libselinux):
>>
>> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
>> index c1982c7..cae1626 100644
>> --- a/libselinux/src/checkAccess.c
>> +++ b/libselinux/src/checkAccess.c
>> @@ -2,6 +2,7 @@
>>  #include <sys/types.h>
>>  #include <stdlib.h>
>>  #include <errno.h>
>> +#include <syslog.h>
>>  #include "selinux_internal.h"
>>  #include <selinux/flask.h>
>>  #include <selinux/av_permissions.h>
>> @@ -29,7 +30,15 @@ int selinux_check_passwd_access(access_vector_t
>> requested)
>>
>>                if ((retval == 0) && ((requested & avd.allowed) ==
>> requested)) {
>>                        status = 0;
>> +               } else {
>> +                       syslog(LOG_ERR,
>> +                              "avc:  denied { %s } for scontext=%s "
>> +                              "tcontext=%s tclass=passwd\n",
>> +                              security_av_perm_to_string(passwd_class,
>> +                                                         requested),
>> +                              user_context, user_context);
>>                }
>> +
>>                freecon(user_context);
>>         }
>>
> 
> Where does the passwd_class come from?
> 
>   -- Larry
> 
> 
> 
> 
>>
>>
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
> 

This is not the responsibility of the library to log this fact, it is the responsibility of the tool (passwd) to log 
any denials.  I am surprised that we do not audit this event.  Since I think a MAC denial on changing a security sensitive object should probably be audited.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-08-18 18:10 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-16 18:53 checking user status Larry Ross
2009-08-17 12:29 ` Stephen Smalley
2009-08-17 12:42   ` Christopher J. PeBenito
2009-08-17 12:54     ` Stephen Smalley
2009-08-18 15:32     ` Daniel J Walsh
     [not found]   ` <81092d890908170747s305cf9f2uc734f5a3fefd4efc@mail.gmail.com>
2009-08-17 14:54     ` Larry Ross
2009-08-18 15:31       ` Daniel J Walsh
     [not found]     ` <1250521053.3629.117.camel@moss-pluto.epoch.ncsc.mil>
2009-08-17 14:55       ` Larry Ross
2009-08-17 20:38         ` Larry Ross
2009-08-18 12:19           ` Stephen Smalley
2009-08-18 12:39             ` Stephen Smalley
2009-08-18 17:15               ` Larry Ross
2009-08-18 18:10                 ` Daniel J Walsh [this message]
2009-08-18 18:57                   ` Larry
2009-08-19 14:34                   ` Stephen Smalley
2009-08-19 14:36                     ` Steve Grubb
2009-08-19 14:39                     ` Stephen Smalley
2009-08-19 17:14                       ` Stephen Smalley
2009-08-18 19:10                 ` Larry
2009-08-19 11:33                   ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A8AEE9E.1020102@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux.larry@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.