From: Daniel J Walsh <dwalsh@redhat.com>
To: Laurent Bigonville <bigon@debian.org>,
SELinux List <selinux@tycho.nsa.gov>
Cc: Eric Paris <eparis@redhat.com>
Subject: Re: avc_has_perm() returns -1 even when SELinux is in permissive mode
Date: Mon, 28 Oct 2013 08:55:57 -0400 [thread overview]
Message-ID: <526E5EDD.20206@redhat.com> (raw)
In-Reply-To: <20131027144337.5b89c5a8@fornost.bigon.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/27/2013 09:43 AM, Laurent Bigonville wrote:
> Hello,
>
> After some debugging on Debian to figure out why D-Bus why denying messages
> between my user session and policykit with SELinux in permissive mode,
> eparis pointed me that Fedora has a patch for this in the avc_has_perm()
> function.
>
> The patch[0] itself seems pretty trivial and I was wondering if it (or
> something similar) could be merged in the upstream codebase.
>
> But, if I'm not wrong, this patch makes avc_has_perm() and
> avc_has_perm_noaudit() have different behavior when the machine is running
> in permissive mode, shouldn't this be tested in the avc_has_perm_noaudit()
> function instead?
>
> my 2¢,
>
> Laurent Bigonville
>
> [0]
> http://pkgs.fedoraproject.org/cgit/libselinux.git/tree/libselinux-rhat.patch#n704
>
>
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
I believe this patch was rejected upstream. Basically upstream wanted the
calling apps to check the permissive flags themselves. DBUS argued against
it, so we carry a patch for it.
The reason this is not in avc_has_perm_noaudit is that we want the avc to be
still audited. I agree that it should be moved up to avc_has_perm_noaudit.
avc_has_perm_noaudit currently checks the permissive flag on only one code
path, but not on failures.
The argument is whether or not avc_has_perm* should ever block anything in
permissive mode. We believe it should not.
I will move the override check to avc_has_perm_noaudit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJuXt0ACgkQrlYvE4MpobNkPwCgmAqYTTwRqfW2HxzyVz2AKrPc
9MgAoLEkCxZ2iNHsWRs+BEJlTwRmV14Y
=TiuS
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2013-10-28 12:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-27 13:43 avc_has_perm() returns -1 even when SELinux is in permissive mode Laurent Bigonville
2013-10-28 12:49 ` Stephen Smalley
2013-10-28 13:36 ` Laurent Bigonville
2013-10-28 14:46 ` Daniel J Walsh
2013-10-28 15:56 ` Eric Paris
2013-10-28 16:58 ` Stephen Smalley
2013-10-28 17:11 ` Eric Paris
2013-10-28 17:21 ` Stephen Smalley
2013-10-28 18:15 ` Paul Moore
2013-10-28 18:10 ` Paul Moore
2013-10-28 18:24 ` Daniel J Walsh
2013-10-28 19:00 ` Stephen Smalley
2013-10-28 19:09 ` Stephen Smalley
2013-10-28 19:26 ` Stephen Smalley
2013-10-28 19:47 ` Paul Moore
2013-10-28 19:03 ` Paul Moore
2013-10-28 19:14 ` Stephen Smalley
2013-10-28 19:19 ` Paul Moore
2013-10-28 19:41 ` Eric Paris
2013-10-28 20:47 ` Stephen Smalley
2013-10-28 12:55 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=526E5EDD.20206@redhat.com \
--to=dwalsh@redhat.com \
--cc=bigon@debian.org \
--cc=eparis@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.