[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Permissive mode for xace is broken.
From: Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date: 2008-03-20 3:56:00
Message-ID: 47E1E050.7060006 () tycho ! nsa ! gov
[Download RAW message or body]
Steve Grubb wrote:
> On Thursday 28 February 2008 21:02:28 Eamon Walsh wrote:
>
>> Steve Grubb wrote:
>>
>>> On Thursday 28 February 2008 13:51:05 Stephen Smalley wrote:
>>>
>>>> On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
>>>>
>>>>> Stephen Smalley wrote:
>>>>>
>>>>>> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
>>>>>>
>>>>>>> Eamon Walsh wrote:
>>>>>>>
>>>>>>>> The X object manager logs all avc's and status messages (including
>>>>>>>> the AVC netlink stuff) through the audit system using libaudit calls
>>>>>>>> (audit_log_user_avc_message, etc.)
>>>>>>>>
>>> Please tell me they have different record types. Also do you have any
>>> samples that we can look over to make sure they conform?
>>>
>> type=USER_AVC msg=audit(1204226161.048:268): user pid=21267 uid=0
>> auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
>> msg='avc: denied { read } for request=X11:QueryPointer
>> comm=/usr/libexec/at-spi-registryd xdevice="Virtual core pointer"
>> scontext=staff_u:staff_r:staff_t:s0
>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=x_device :
>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>
>
> comm & xdevice are not escaped the right way. exe is. The audit utilities are
> expecting the comm field to be comm="/usr/libexec/at-spi-registryd" in this
> case. The standard has been untrusted fields have " " enclosing the field.
> Whenever there is a space, double quote, or control character, its ASCII HEX
> encoded with no quotes. xdevice is not a field that the audit system knows
> about, so we could do something different with it, but comm is known for a
> long time and has to follow the standards.
>
Why can't libaudit automatically perform this escaping? That way we
avoid promulgating this "standard" into every caller of libaudit.
If everything is going to be name-value based, then I want a libaudit
function that takes a list of name/value pairs.
> Also, is there any information about who caused the event? uid, auid, gid?
> Even though this was a denied action, what is the results? Were they
> successful (permissive) or was it really a failed and denied request?
>
I don't understand this last part with the result of the action. How am
I supposed to specify this?
I need to modify libselinux (again) to support all of this extra uid and
hostname stuff getting passed into the logging callback.
> Would it make sense to fill in the workspace:window information for the
> terminal? If X is being used remotely, is the addr & hostname fields correct?
>
The X server has a terminal that it runs on, /dev/tty7 or whatever. The
desktop workspaces and gnome-terminal/xterm pseudo-tty's are external to
the X server and it doesn't know about them.
> That's the only things I notice at this point.
>
> -Steve
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>
--
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic