[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date:       2008-02-28 18:48:08
Message-ID: 47C701E8.1030603 () tycho ! nsa ! gov
[Download RAW message or body]

Stephen Smalley wrote:
> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
>   
>> Eamon Walsh wrote:
>>     
>>> The X object manager logs all avc's and status messages (including the 
>>> AVC netlink stuff) through the audit system using libaudit calls 
>>> (audit_log_user_avc_message, etc.)   I disavow all responsibility for 
>>> the messages once they enter libaudit
>>>       
>> It's being black-holed in rawhide.  To see for yourself, add the 
>> attached patch to the spec file and rebuild the xserver from SRPM.  It 
>> will tee the avc messages into /var/log/Xorg.0.log.
>>     
>
> Looking at the corresponding code in dbus, I see that dbus is calling
> both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
> vsyslog(LOG_INFO...) with the message.
>   

Should the X server do this also?  Why does it need to be logged twice?

> Can you verify that the X server was able to create the audit socket
> successfully?
>   

Yes, because when I actually install the audit package, things started 
appearing in /var/log/audit/audit.log.  I did not have the audit package 
installed.  Why isn't it redirecting to /var/log/messages in this case?  
This is the behavior I was led to believe would happen, and this is what 
happens with kernel AVC's.

> Things that could go wrong:
> - X server uses privilege bracketing (switching uids or capabilities)
> and lacks the necessary audit capabilities.
> - X server shuts down all descriptors _after_ you've opened the audit
> socket, thereby closing it down too.
> - Policy doesn't allow X server to write audit messages (requires
> audit_write capability and netlink_audit_socket perms).
>   


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]