From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Guido Trentalancia <guido@trentalancia.com>
Cc: SELinux@tycho.nsa.gov
Subject: Re: selinux_check_passwd_access() behaviour when passwd class does not exist
Date: Thu, 05 Nov 2009 09:20:23 +0900 [thread overview]
Message-ID: <4AF21A47.4000303@ak.jp.nec.com> (raw)
In-Reply-To: <1257280144.3005.86.camel@tesla.lan>
Guido Trentalancia wrote:
> On Tue, 03/11/2009 08.13 -0500, Daniel J Walsh wrote:
>
>> I am not sure, I think it could be argued that this function should not be in libselinux at all, since it hard codes policy into the library.
>>
>> I think you need to start setting the errno if you are going to change the function ENOSUPP for this error versus EPERM for the other error, and then all users (passwd?) of the function need to change to look at the errno.
>>
>
> Or if the intent is just to remove the hard-coded word "passwd" from the
> libselinux code, then it is possible to use SECCLASS_PASSWD defined in
> flask.h as follows:
It goes against the times.
The string_to_security_class(3) enables applications to perform correctly
independent from the security policy.
In principle, user can provide its own security policy with its own set
of object classes and permissions. It can have its own code, and it may
not equivalent to SECCLASS_PASSWD.
My suggestion is to apply security_deny_unknown(3) which returns a preferable
behavior when application requires undefined object classes/permissions.
Thanks,
> --- libselinux/src/checkAccess.c.orig 2009-11-03 21:11:21.000000000
> +0100
> +++ libselinux/src/checkAccess.c 2009-11-03 21:13:44.000000000
> +0100
> @@ -17,13 +17,9 @@ int selinux_check_passwd_access(access_v
> struct av_decision avd;
> int retval;
>
> - passwd_class = string_to_security_class("passwd");
> - if (passwd_class == 0)
> - return 0;
> -
> retval = security_compute_av_raw(user_context,
> user_context,
> - passwd_class,
> + SECCLASS_PASSWD,
> requested,
> &avd);
>
> This solution shortens the code and also avoids the issue that might
> arise if such a security object class is not defined, because the
> library simply won't compile...
>
> Guido
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-11-05 0:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-02 22:43 selinux_check_passwd_access() behaviour when passwd class does not exist Guido Trentalancia
2009-11-03 13:13 ` Daniel J Walsh
2009-11-03 19:04 ` Guido Trentalancia
2009-11-03 20:29 ` Guido Trentalancia
2009-11-05 0:20 ` KaiGai Kohei [this message]
2009-11-05 14:46 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AF21A47.4000303@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=SELinux@tycho.nsa.gov \
--cc=guido@trentalancia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.