[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Permissive mode for xace is broken.
From: Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date: 2008-02-28 18:48:08
Message-ID: 47C701E8.1030603 () tycho ! nsa ! gov
[Download RAW message or body]
Stephen Smalley wrote:
> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
>
>> Eamon Walsh wrote:
>>
>>> The X object manager logs all avc's and status messages (including the
>>> AVC netlink stuff) through the audit system using libaudit calls
>>> (audit_log_user_avc_message, etc.) I disavow all responsibility for
>>> the messages once they enter libaudit
>>>
>> It's being black-holed in rawhide. To see for yourself, add the
>> attached patch to the spec file and rebuild the xserver from SRPM. It
>> will tee the avc messages into /var/log/Xorg.0.log.
>>
>
> Looking at the corresponding code in dbus, I see that dbus is calling
> both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
> vsyslog(LOG_INFO...) with the message.
>
Should the X server do this also? Why does it need to be logged twice?
> Can you verify that the X server was able to create the audit socket
> successfully?
>
Yes, because when I actually install the audit package, things started
appearing in /var/log/audit/audit.log. I did not have the audit package
installed. Why isn't it redirecting to /var/log/messages in this case?
This is the behavior I was led to believe would happen, and this is what
happens with kernel AVC's.
> Things that could go wrong:
> - X server uses privilege bracketing (switching uids or capabilities)
> and lacks the necessary audit capabilities.
> - X server shuts down all descriptors _after_ you've opened the audit
> socket, thereby closing it down too.
> - Policy doesn't allow X server to write audit messages (requires
> audit_write capability and netlink_audit_socket perms).
>
--
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic