'Re: Permissive mode for xace is broken.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Steve G <linux_4ever () yahoo ! com>
Date:       2008-03-24 15:55:13
Message-ID: 729568.16778.qm () web51505 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]



----- Original Message ----
> From: Eamon Walsh <ewalsh@tycho.nsa.gov>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>; Daniel J Walsh \
>                 <dwalsh@redhat.com>; SE Linux <selinux@tycho.nsa.gov>
> Sent: Wednesday, March 19, 2008 11:56:00 PM
> Subject: Re: Permissive mode for xace is broken.
> 
> Steve Grubb wrote:
> > On Thursday 28 February 2008 21:02:28 Eamon Walsh wrote:
> > 
> > > Steve Grubb wrote:
> > > 
> > > > On Thursday 28 February 2008 13:51:05 Stephen Smalley wrote:
> > > > 
> > > > > On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
> > > > > 
> > > > > > Stephen Smalley wrote:
> > > > > > 
> > > > > > > On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
> > > > > > > 
> > > > > > > > Eamon Walsh wrote:
> > > > > > > > 
> > > > > > > > > The X object manager logs all avc's and status messages \
> > > > > > > > > (including the AVC netlink stuff) through the audit \
> > > > > > > > > system using libaudit calls (audit_log_user_avc_message, \
> > > > > > > > > etc.) 
> > > > Please tell me they have different record types. Also do you have \
> > > > any samples that we can look over to make sure they conform?
> > > > 
> > > type=USER_AVC msg=audit(1204226161.048:268): user pid=21267 uid=0
> > > auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
> > > msg='avc:  denied  { read } for request=X11:QueryPointer
> > > comm=/usr/libexec/at-spi-registryd xdevice="Virtual core pointer"
> > > scontext=staff_u:staff_r:staff_t:s0
> > > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 \
> > > tclass=x_device : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, \
> > > terminal=?)' 
> > 
> > comm & xdevice are not escaped the right way. exe is. The audit \
> > utilities are  expecting the comm field to be \
> > comm="/usr/libexec/at-spi-registryd" in this  case. The standard has \
> > been untrusted fields have " " enclosing the field.  Whenever there is \
> > a space, double quote, or control character, its ASCII HEX  encoded \
> > with no quotes. xdevice is not a field that the audit system knows  \
> > about, so we could do something different with it, but comm is known \
> > for a  long time and has to follow the standards.
> > 
> 
> Why can't libaudit automatically perform this escaping?

Well, it could. However, this is the API that you currently have:

extern int audit_log_user_avc_message(int audit_fd, int type,
        const char *message, const char *hostname, const char *addr,
        const char *tty, uid_t uid);

The whole avc from msg=  up to the exe= statement comes from libselinux. \
So, libselinux has to do the escaping unless we build a better API for \
selinux use. I could probably expose the function that does the escaping, \
but I had really wanted to try to maintain some consistency in the event by \
API.


> That way we avoid promulgating this "standard" into every caller of \
> libaudit. 
> If everything is going to be name-value based, then I want a libaudit 
> function that takes a list of name/value pairs.

SE Linux is the only user of the audit system that does not follow the \
name=value standard. Would you (and the community) really be willing to \
convert selinux over to that if we have the API for it?  Do you have any \
suggestions about how you'd like to see the new API implemented?


> > Also, is there any information about who caused the event? uid, auid, \
> > gid?  Even though this was a denied action, what is the results? Were \
> > they  successful (permissive) or was it really a failed and denied \
> > request? 
> 
> I don't understand this last part with the result of the action.  How am 
> I supposed to specify this?

res=0 for failed and res=1 for success even though the action was denied. \
Admittedly, the audit avc API does not require this from SE Linux, but I \
could fix that if we change the API to something around name value pairs.


> I need to modify libselinux (again) to support all of this extra uid and 
> hostname stuff getting passed into the logging callback.

Yes, CAPP and other CC protection profiles require that sufficient \
information be logged to determine who did the action that was denied or \
granted. 

 
> > Would it make sense to fill in the workspace:window information for the \
> >  terminal? If X is being used remotely, is the addr & hostname fields \
> > correct? 
> 
> The X server has a terminal that it runs on, /dev/tty7 or whatever.  The 
> desktop workspaces and gnome-terminal/xterm pseudo-tty's are external to 
> the X server and it doesn't know about them.

So, should we also make a new field that logs the workspace:window that a \
request came from?

Thanks,
-Steve





      ____________________________________________________________________________________
 Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov \
with the words "unsubscribe selinux" without quotes as the message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic