From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <stephen.smalley@gmail.com>,
Eric Paris <eparis@parisplace.org>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: selinux_check_access() and unknown classes/perms
Date: Wed, 30 Apr 2014 08:58:39 -0400 [thread overview]
Message-ID: <5360F37F.2050908@redhat.com> (raw)
In-Reply-To: <CAB9W1A0RHSS3VJcbvCtMDULm6zi3xiuN9eBpS49cR6CEoBw0jQ@mail.gmail.com>
I would think an AVC entry for an undefined class would be a good idea.
On 04/29/2014 08:02 PM, Stephen Smalley wrote:
> Well, you could use a static variable ala printk_once in the kernel;
> would only happen once per program rather than once per unique denial,
> but there is no real way to do that short of introducing an AVC entry
> for an undefined class...
>
> On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@parisplace.org> wrote:
>> selinux_check_access() has code like this:
>>
>> sclass = string_to_security_class(class);
>> if (sclass == 0) {
>> rc = errno;
>> if (security_deny_unknown() == 0)
>> return 0;
>> errno = rc;
>> return -1;
>> }
>>
>> My problem with the code is that we have no logging of any kind why we
>> just returned -1; The reason this was found is because Dominick is
>> writing custom policy that doesn't define all of the classes/perms
>> used by systemd and has security_deny_unknown() == 1. systemd calls
>> selinux_check_access() gets -EINVAL, prints that it denied, but no
>> where do we have a good reason why it was denied. systemd doesn't
>> know, it's hidden in this library...
>>
>> A good first step would be to call avc_log(SELINUX_ERR, ...) in the
>> case where we return an error. But what do we do in the
>> security_deny_unknown() == 0 case? I'd still like to call avc_log,
>> but only do it once rather than flood our logs. Any suggestions how
>> to pull that off?
>>
>> -Eric
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
next prev parent reply other threads:[~2014-04-30 12:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-29 21:14 selinux_check_access() and unknown classes/perms Eric Paris
2014-04-29 22:18 ` Dominick Grift
2014-04-30 0:02 ` Stephen Smalley
2014-04-30 12:58 ` Daniel J Walsh [this message]
2014-07-05 12:08 ` Laurent Bigonville
2014-07-05 12:42 ` Dominick Grift
2014-07-08 18:04 ` Stephen Smalley
2014-07-08 18:25 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5360F37F.2050908@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=selinux@tycho.nsa.gov \
--cc=stephen.smalley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.