[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2008-02-28 19:00:24
Message-ID: 47C704C8.2090602 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
>> Stephen Smalley wrote:
>>> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
>>>   
>>>> Eamon Walsh wrote:
>>>>     
>>>>> The X object manager logs all avc's and status messages (including the 
>>>>> AVC netlink stuff) through the audit system using libaudit calls 
>>>>> (audit_log_user_avc_message, etc.)   I disavow all responsibility for 
>>>>> the messages once they enter libaudit
>>>>>       
>>>> It's being black-holed in rawhide.  To see for yourself, add the 
>>>> attached patch to the spec file and rebuild the xserver from SRPM.  It 
>>>> will tee the avc messages into /var/log/Xorg.0.log.
>>>>     
>>> Looking at the corresponding code in dbus, I see that dbus is calling
>>> both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
>>> vsyslog(LOG_INFO...) with the message.
>>>   
>> Should the X server do this also?  Why does it need to be logged twice?
>>
>>> Can you verify that the X server was able to create the audit socket
>>> successfully?
>>>   
>> Yes, because when I actually install the audit package, things started 
>> appearing in /var/log/audit/audit.log.  I did not have the audit package 
>> installed.  Why isn't it redirecting to /var/log/messages in this case?  
>> This is the behavior I was led to believe would happen, and this is what 
>> happens with kernel AVC's.
> 
> That's what I would expect, but I don't know.  Safest thing would seem
> to be to follow dbus' example.  The audit calls there are also
> conditionally compiled, so they can be entirely omitted on systems
> without libaudit, whereas the system logging is unconditional.
> 
>>> Things that could go wrong:
>>> - X server uses privilege bracketing (switching uids or capabilities)
>>> and lacks the necessary audit capabilities.
>>> - X server shuts down all descriptors _after_ you've opened the audit
>>> socket, thereby closing it down too.
>>> - Policy doesn't allow X server to write audit messages (requires
>>> audit_write capability and netlink_audit_socket perms).
>>>   
>>
dbus is not a setuid application so when it runs in userspace it does
not have the right to send an auditmessage.  When it gets a reload
policy, the user space dbus program sends the message to syslog.  I
don't think X needs to do this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfHBMgACgkQrlYvE4MpobOnBACgqabWxmdBqQfRbK9MJ8SxoB1U
h3kAoNMQRNLtcv6z7Jo8bBCDdxr8ab1R
=HuVz
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]