selinux_check_access() and unknown classes/perms

selinux_check_access() and unknown classes/perms

[Eric Paris]

selinux_check_access() has code like this:

       sclass = string_to_security_class(class);
       if (sclass == 0) {
               rc = errno;
               if (security_deny_unknown() == 0)
                       return 0;
               errno = rc;
               return -1;
       }

My problem with the code is that we have no logging of any kind why we
just returned -1;  The reason this was found is because Dominick is
writing custom policy that doesn't define all of the classes/perms
used by systemd and has security_deny_unknown() == 1.  systemd calls
selinux_check_access() gets -EINVAL, prints that it denied, but no
where do we have a good reason why it was denied.  systemd doesn't
know, it's hidden in this library...

A good first step would be to call avc_log(SELINUX_ERR, ...) in the
case where we return an error.  But what do we do in the
security_deny_unknown() == 0 case?  I'd still like to call avc_log,
but only do it once rather than flood our logs.  Any suggestions how
to pull that off?

-Eric

Re: selinux_check_access() and unknown classes/perms

[Dominick Grift]

On Tue, 2014-04-29 at 17:14 -0400, Eric Paris wrote:
> selinux_check_access() has code like this:
> 
>        sclass = string_to_security_class(class);
>        if (sclass == 0) {
>                rc = errno;
>                if (security_deny_unknown() == 0)
>                        return 0;
>                errno = rc;
>                return -1;
>        }
> 
> My problem with the code is that we have no logging of any kind why we
> just returned -1;  The reason this was found is because Dominick is
> writing custom policy that doesn't define all of the classes/perms
> used by systemd and has security_deny_unknown() == 1.  systemd calls
> selinux_check_access() gets -EINVAL, prints that it denied, but no
> where do we have a good reason why it was denied.  systemd doesn't
> know, it's hidden in this library...

Systemd just prints: SELinux policy denies access. That is it. There is
no way to tell that there are unknown permissions and which unknown
permissions. One ends up in a situation that is not easy to debug.

In my case i knew directly this was about the systemd permissions
associated with the system kernel security class. I was hesitant to add
those since to me it just does not sound right to associate user space
permissions with a kernel security class.

This issue surfaced as part of a bigger issue that i identified where at
some point late in the shutdown process no avc's are logged at all
anymore. Whether it be user space avc denials or kernel avc denials.

For example if systemd would not have permissions to unmount file
systems then attempts my systemd to unmount file systems on shutdown
would be denied without any logs.

As a policy writer, avc denials and other SELinux messages is all i have
to go with. If SELinux blocks without any information then i do not know
what to do.

Re: selinux_check_access() and unknown classes/perms

[Stephen Smalley]

Well, you could use a static variable ala printk_once in the kernel;
would only happen once per program rather than once per unique denial,
but there is no real way to do that short of introducing an AVC entry
for an undefined class...

On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@parisplace.org> wrote:
> selinux_check_access() has code like this:
>
>        sclass = string_to_security_class(class);
>        if (sclass == 0) {
>                rc = errno;
>                if (security_deny_unknown() == 0)
>                        return 0;
>                errno = rc;
>                return -1;
>        }
>
> My problem with the code is that we have no logging of any kind why we
> just returned -1;  The reason this was found is because Dominick is
> writing custom policy that doesn't define all of the classes/perms
> used by systemd and has security_deny_unknown() == 1.  systemd calls
> selinux_check_access() gets -EINVAL, prints that it denied, but no
> where do we have a good reason why it was denied.  systemd doesn't
> know, it's hidden in this library...
>
> A good first step would be to call avc_log(SELINUX_ERR, ...) in the
> case where we return an error.  But what do we do in the
> security_deny_unknown() == 0 case?  I'd still like to call avc_log,
> but only do it once rather than flood our logs.  Any suggestions how
> to pull that off?
>
> -Eric
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: selinux_check_access() and unknown classes/perms

[Daniel J Walsh]

I would think an AVC entry for an undefined class would be a good idea.
On 04/29/2014 08:02 PM, Stephen Smalley wrote:
> Well, you could use a static variable ala printk_once in the kernel;
> would only happen once per program rather than once per unique denial,
> but there is no real way to do that short of introducing an AVC entry
> for an undefined class...
>
> On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@parisplace.org> wrote:
>> selinux_check_access() has code like this:
>>
>>        sclass = string_to_security_class(class);
>>        if (sclass == 0) {
>>                rc = errno;
>>                if (security_deny_unknown() == 0)
>>                        return 0;
>>                errno = rc;
>>                return -1;
>>        }
>>
>> My problem with the code is that we have no logging of any kind why we
>> just returned -1;  The reason this was found is because Dominick is
>> writing custom policy that doesn't define all of the classes/perms
>> used by systemd and has security_deny_unknown() == 1.  systemd calls
>> selinux_check_access() gets -EINVAL, prints that it denied, but no
>> where do we have a good reason why it was denied.  systemd doesn't
>> know, it's hidden in this library...
>>
>> A good first step would be to call avc_log(SELINUX_ERR, ...) in the
>> case where we return an error.  But what do we do in the
>> security_deny_unknown() == 0 case?  I'd still like to call avc_log,
>> but only do it once rather than flood our logs.  Any suggestions how
>> to pull that off?
>>
>> -Eric
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>

Re: selinux_check_access() and unknown classes/perms

[Laurent Bigonville]

Le Wed, 30 Apr 2014 08:58:39 -0400,
Daniel J Walsh <dwalsh@redhat.com> a écrit :

> I would think an AVC entry for an undefined class would be a good
> idea.

I would also be happy to see a such thing.

Does anybody know which steps should be done to achieve this?

Cheers,

Laurent Bigonville

Re: selinux_check_access() and unknown classes/perms

[Dominick Grift]

For reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1095354

Re: selinux_check_access() and unknown classes/perms

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 143 bytes --]

On 07/05/2014 08:42 AM, Dominick Grift wrote:
> For reference:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1095354

Will this suffice?




[-- Attachment #2: 0001-Log-an-error-on-unknown-classes-and-permissions.patch --]
[-- Type: text/x-patch, Size: 1414 bytes --]

>From 7bdc38ccb21133155658279895b10ceb347b0b5a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 8 Jul 2014 14:03:39 -0400
Subject: [PATCH] Log an error on unknown classes and permissions.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 libselinux/src/checkAccess.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 4d70ebe..cd2a817 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -7,6 +7,7 @@
 #include <selinux/flask.h>
 #include <selinux/avc.h>
 #include <selinux/av_permissions.h>
+#include "avc_internal.h"
 
 static pthread_once_t once = PTHREAD_ONCE_INIT;
 
@@ -38,6 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
        sclass = string_to_security_class(class);
        if (sclass == 0) {
 	       rc = errno;
+	       avc_log(SELINUX_ERROR, "Unknown class %s", class);
 	       if (security_deny_unknown() == 0)
 		       return 0;
 	       errno = rc;
@@ -47,6 +49,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
        av = string_to_av_perm(sclass, perm);
        if (av == 0) {
 	       rc = errno;
+	       avc_log(SELINUX_ERROR, "Unknown permission %s for class %s", perm, class);
 	       if (security_deny_unknown() == 0)
 		       return 0;
 	       errno = rc;
-- 
1.8.3.1

Re: selinux_check_access() and unknown classes/perms

[Dominick Grift]

On Tue, 2014-07-08 at 14:04 -0400, Stephen Smalley wrote:
> On 07/05/2014 08:42 AM, Dominick Grift wrote:
> > For reference:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1095354
> 
> Will this suffice?
> 
> 
> 

I suspect it will, thanks