* selinux_check_access() and unknown classes/perms
@ 2014-04-29 21:14 Eric Paris
2014-04-29 22:18 ` Dominick Grift
2014-04-30 0:02 ` Stephen Smalley
0 siblings, 2 replies; 8+ messages in thread
From: Eric Paris @ 2014-04-29 21:14 UTC (permalink / raw)
To: SE-Linux, Dominick Grift
selinux_check_access() has code like this:
sclass = string_to_security_class(class);
if (sclass == 0) {
rc = errno;
if (security_deny_unknown() == 0)
return 0;
errno = rc;
return -1;
}
My problem with the code is that we have no logging of any kind why we
just returned -1; The reason this was found is because Dominick is
writing custom policy that doesn't define all of the classes/perms
used by systemd and has security_deny_unknown() == 1. systemd calls
selinux_check_access() gets -EINVAL, prints that it denied, but no
where do we have a good reason why it was denied. systemd doesn't
know, it's hidden in this library...
A good first step would be to call avc_log(SELINUX_ERR, ...) in the
case where we return an error. But what do we do in the
security_deny_unknown() == 0 case? I'd still like to call avc_log,
but only do it once rather than flood our logs. Any suggestions how
to pull that off?
-Eric
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: selinux_check_access() and unknown classes/perms 2014-04-29 21:14 selinux_check_access() and unknown classes/perms Eric Paris @ 2014-04-29 22:18 ` Dominick Grift 2014-04-30 0:02 ` Stephen Smalley 1 sibling, 0 replies; 8+ messages in thread From: Dominick Grift @ 2014-04-29 22:18 UTC (permalink / raw) To: Eric Paris; +Cc: SE-Linux On Tue, 2014-04-29 at 17:14 -0400, Eric Paris wrote: > selinux_check_access() has code like this: > > sclass = string_to_security_class(class); > if (sclass == 0) { > rc = errno; > if (security_deny_unknown() == 0) > return 0; > errno = rc; > return -1; > } > > My problem with the code is that we have no logging of any kind why we > just returned -1; The reason this was found is because Dominick is > writing custom policy that doesn't define all of the classes/perms > used by systemd and has security_deny_unknown() == 1. systemd calls > selinux_check_access() gets -EINVAL, prints that it denied, but no > where do we have a good reason why it was denied. systemd doesn't > know, it's hidden in this library... Systemd just prints: SELinux policy denies access. That is it. There is no way to tell that there are unknown permissions and which unknown permissions. One ends up in a situation that is not easy to debug. In my case i knew directly this was about the systemd permissions associated with the system kernel security class. I was hesitant to add those since to me it just does not sound right to associate user space permissions with a kernel security class. This issue surfaced as part of a bigger issue that i identified where at some point late in the shutdown process no avc's are logged at all anymore. Whether it be user space avc denials or kernel avc denials. For example if systemd would not have permissions to unmount file systems then attempts my systemd to unmount file systems on shutdown would be denied without any logs. As a policy writer, avc denials and other SELinux messages is all i have to go with. If SELinux blocks without any information then i do not know what to do. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-04-29 21:14 selinux_check_access() and unknown classes/perms Eric Paris 2014-04-29 22:18 ` Dominick Grift @ 2014-04-30 0:02 ` Stephen Smalley 2014-04-30 12:58 ` Daniel J Walsh 1 sibling, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2014-04-30 0:02 UTC (permalink / raw) To: Eric Paris; +Cc: SE-Linux Well, you could use a static variable ala printk_once in the kernel; would only happen once per program rather than once per unique denial, but there is no real way to do that short of introducing an AVC entry for an undefined class... On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@parisplace.org> wrote: > selinux_check_access() has code like this: > > sclass = string_to_security_class(class); > if (sclass == 0) { > rc = errno; > if (security_deny_unknown() == 0) > return 0; > errno = rc; > return -1; > } > > My problem with the code is that we have no logging of any kind why we > just returned -1; The reason this was found is because Dominick is > writing custom policy that doesn't define all of the classes/perms > used by systemd and has security_deny_unknown() == 1. systemd calls > selinux_check_access() gets -EINVAL, prints that it denied, but no > where do we have a good reason why it was denied. systemd doesn't > know, it's hidden in this library... > > A good first step would be to call avc_log(SELINUX_ERR, ...) in the > case where we return an error. But what do we do in the > security_deny_unknown() == 0 case? I'd still like to call avc_log, > but only do it once rather than flood our logs. Any suggestions how > to pull that off? > > -Eric > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-04-30 0:02 ` Stephen Smalley @ 2014-04-30 12:58 ` Daniel J Walsh 2014-07-05 12:08 ` Laurent Bigonville 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2014-04-30 12:58 UTC (permalink / raw) To: Stephen Smalley, Eric Paris; +Cc: SE-Linux I would think an AVC entry for an undefined class would be a good idea. On 04/29/2014 08:02 PM, Stephen Smalley wrote: > Well, you could use a static variable ala printk_once in the kernel; > would only happen once per program rather than once per unique denial, > but there is no real way to do that short of introducing an AVC entry > for an undefined class... > > On Tue, Apr 29, 2014 at 2:14 PM, Eric Paris <eparis@parisplace.org> wrote: >> selinux_check_access() has code like this: >> >> sclass = string_to_security_class(class); >> if (sclass == 0) { >> rc = errno; >> if (security_deny_unknown() == 0) >> return 0; >> errno = rc; >> return -1; >> } >> >> My problem with the code is that we have no logging of any kind why we >> just returned -1; The reason this was found is because Dominick is >> writing custom policy that doesn't define all of the classes/perms >> used by systemd and has security_deny_unknown() == 1. systemd calls >> selinux_check_access() gets -EINVAL, prints that it denied, but no >> where do we have a good reason why it was denied. systemd doesn't >> know, it's hidden in this library... >> >> A good first step would be to call avc_log(SELINUX_ERR, ...) in the >> case where we return an error. But what do we do in the >> security_deny_unknown() == 0 case? I'd still like to call avc_log, >> but only do it once rather than flood our logs. Any suggestions how >> to pull that off? >> >> -Eric >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-04-30 12:58 ` Daniel J Walsh @ 2014-07-05 12:08 ` Laurent Bigonville 2014-07-05 12:42 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: Laurent Bigonville @ 2014-07-05 12:08 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE-Linux Le Wed, 30 Apr 2014 08:58:39 -0400, Daniel J Walsh <dwalsh@redhat.com> a écrit : > I would think an AVC entry for an undefined class would be a good > idea. I would also be happy to see a such thing. Does anybody know which steps should be done to achieve this? Cheers, Laurent Bigonville ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-07-05 12:08 ` Laurent Bigonville @ 2014-07-05 12:42 ` Dominick Grift 2014-07-08 18:04 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2014-07-05 12:42 UTC (permalink / raw) To: selinux For reference: https://bugzilla.redhat.com/show_bug.cgi?id=1095354 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-07-05 12:42 ` Dominick Grift @ 2014-07-08 18:04 ` Stephen Smalley 2014-07-08 18:25 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2014-07-08 18:04 UTC (permalink / raw) To: Dominick Grift, selinux [-- Attachment #1: Type: text/plain, Size: 143 bytes --] On 07/05/2014 08:42 AM, Dominick Grift wrote: > For reference: > > https://bugzilla.redhat.com/show_bug.cgi?id=1095354 Will this suffice? [-- Attachment #2: 0001-Log-an-error-on-unknown-classes-and-permissions.patch --] [-- Type: text/x-patch, Size: 1414 bytes --] >From 7bdc38ccb21133155658279895b10ceb347b0b5a Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Tue, 8 Jul 2014 14:03:39 -0400 Subject: [PATCH] Log an error on unknown classes and permissions. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- libselinux/src/checkAccess.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c index 4d70ebe..cd2a817 100644 --- a/libselinux/src/checkAccess.c +++ b/libselinux/src/checkAccess.c @@ -7,6 +7,7 @@ #include <selinux/flask.h> #include <selinux/avc.h> #include <selinux/av_permissions.h> +#include "avc_internal.h" static pthread_once_t once = PTHREAD_ONCE_INIT; @@ -38,6 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class, sclass = string_to_security_class(class); if (sclass == 0) { rc = errno; + avc_log(SELINUX_ERROR, "Unknown class %s", class); if (security_deny_unknown() == 0) return 0; errno = rc; @@ -47,6 +49,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class, av = string_to_av_perm(sclass, perm); if (av == 0) { rc = errno; + avc_log(SELINUX_ERROR, "Unknown permission %s for class %s", perm, class); if (security_deny_unknown() == 0) return 0; errno = rc; -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: selinux_check_access() and unknown classes/perms 2014-07-08 18:04 ` Stephen Smalley @ 2014-07-08 18:25 ` Dominick Grift 0 siblings, 0 replies; 8+ messages in thread From: Dominick Grift @ 2014-07-08 18:25 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux On Tue, 2014-07-08 at 14:04 -0400, Stephen Smalley wrote: > On 07/05/2014 08:42 AM, Dominick Grift wrote: > > For reference: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1095354 > > Will this suffice? > > > I suspect it will, thanks ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-07-08 18:25 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-04-29 21:14 selinux_check_access() and unknown classes/perms Eric Paris 2014-04-29 22:18 ` Dominick Grift 2014-04-30 0:02 ` Stephen Smalley 2014-04-30 12:58 ` Daniel J Walsh 2014-07-05 12:08 ` Laurent Bigonville 2014-07-05 12:42 ` Dominick Grift 2014-07-08 18:04 ` Stephen Smalley 2014-07-08 18:25 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.