passwd, chfn and chsh not reporting AVC's

All of lore.kernel.org
 help / color / mirror / Atom feed

* passwd, chfn and chsh not reporting AVC's
@ 2011-10-20 13:09 Daniel J Walsh
  2011-10-20 13:42 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2011-10-20 13:09 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In reviewing some bugs on these packages we realize we want to update
them to use the latest tool chain.  In order to make this easier, we
want to add a new function called selinux_check_access to libselinux.

Please review patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6gHZ0ACgkQrlYvE4MpobMzlQCbB0RPLKCAANvc91KRTXn1MPh+
umcAoL5mtYorhaXwDHYj5gcu+YhVzoB4
=DmU9
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-checkaccess.patch --]
[-- Type: text/plain, Size: 3725 bytes --]

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index d29b0c1..792e68e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(void);
 extern const char *selinux_netfilter_context_path(void);
 extern const char *selinux_path(void);
 
+/**
+ * selinux_check_access - Check permissions and perform appropriate auditing.
+ * @scon: source security context
+ * @tcon: target security context
+ * @tclass: target security class string
+ * @perm: requested permissions string, interpreted based on @tclass
+ * @auditdata: auxiliary audit data
+ *
+ * Check the AVC to determine whether the @perm permissions are granted
+ * for the SID pair (@scon, @tcon), interpreting the permissions
+ * based on @tclass.
+ * Return %0 if all @perm permissions are granted, -%1 with 
+ * @errno set to %EACCES if any permissions are denied or to another 
+ * value upon other errors.
+ * If auditing or logging is configured the appropriate callbacks will be called
+ * and passed the auditdata field
+ */
+extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata);
+
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
 extern int selinux_check_passwd_access(access_vector_t requested);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index f2d9f30..1e36952 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -24,6 +24,8 @@ the SELinux policy database in the kernel.
 .BI "int security_get_initial_context(const char *" name ", security_context_t
 "con );
 .sp
+.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata);
+.sp
 .BI "int selinux_check_passwd_access(access_vector_t " requested );
 .sp
 .BI "int checkPasswdAccess(access_vector_t " requested );
@@ -74,6 +76,9 @@ source context. It is mainly used by
 is used to get the context of a kernel initial security identifier specified by 
 .I name
 
+.B selinux_check_access
+is used to check if the source context has the access permission for the specified class on the target context.
+
 .B selinux_check_passwd_access
 is used to check for a permission in the
 .I passwd
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index c1982c7..37ccc15 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -4,8 +4,40 @@
 #include <errno.h>
 #include "selinux_internal.h"
 #include <selinux/flask.h>
+#include <selinux/avc.h>
 #include <selinux/av_permissions.h>
 
+static pthread_once_t once = PTHREAD_ONCE_INIT;
+
+static void avc_init_once(void)
+{
+	avc_open(NULL, 0);
+}
+
+int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
+	int status = -1;
+	int rc = -1;
+	security_id_t scon_id;
+	security_id_t tcon_id;
+	security_class_t sclass;
+	access_vector_t av;
+
+	if (is_selinux_enabled() == 0)
+		return 0;
+
+	__selinux_once(once, avc_init_once);
+
+	if ((rc = avc_context_to_sid(scon, &scon_id)) < 0)  return rc;
+
+	if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0)  return rc;
+
+	if ((sclass = string_to_security_class(class)) == 0) return status;
+
+	if ((av = string_to_av_perm(sclass, perm)) == 0) return status;
+
+	return (avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
+}
+
 int selinux_check_passwd_access(access_vector_t requested)
 {
 	int status = -1;

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: passwd, chfn and chsh not reporting AVC's
  2011-10-20 13:09 passwd, chfn and chsh not reporting AVC's Daniel J Walsh
@ 2011-10-20 13:42 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2011-10-20 13:42 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux, Joshua Brindle

On Thu, 2011-10-20 at 09:09 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> In reviewing some bugs on these packages we realize we want to update
> them to use the latest tool chain.  In order to make this easier, we
> want to add a new function called selinux_check_access to libselinux.
> 
> Please review patch.

For those who are interested in more details, this is in reference to:
https://bugzilla.redhat.com/show_bug.cgi?id=518268
and has come up a few times on selinux list as a problem for users due
to the lack of any AVC audit message upon certain userspace permission
checks.  These programs were modified for SELinux before the userspace
AVC existed, and thus directly used security_compute_av().  But even
with the userspace AVC in existence, they would prefer a simpler
interface with fewer discrete calls as they are not long-lived processes
and typically only perform a single permission check.  This is an
attempt to bundle up everything into a single interface similar to
security_compute_av (but with string-based classes and permissions so
that even that lookup is handled internally) that internally uses the
ACV so that we get the benefits of auditing and permissive
mode/permissive domain handling that are not provided by
security_compute_av().  The program still has to call
selinux_set_callback() to set up the logging callback as we don't want
to tightly couple libselinux to libaudit, but otherwise is freed from
any other setup responsibility (avc_open is handled internally on first
use of the interface via __selinux_once magic).

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-10-20 13:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-20 13:09 passwd, chfn and chsh not reporting AVC's Daniel J Walsh
2011-10-20 13:42 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.