'Re: Permissive mode for xace is broken.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Steve G <linux_4ever () yahoo ! com>
Date:       2008-03-24 15:55:13
Message-ID: 729568.16778.qm () web51505 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]



----- Original Message ----
> From: Eamon Walsh <ewalsh@tycho.nsa.gov>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>; Daniel J Walsh <dwalsh@redhat.com>; SE \
>                 Linux <selinux@tycho.nsa.gov>
> Sent: Wednesday, March 19, 2008 11:56:00 PM
> Subject: Re: Permissive mode for xace is broken.
> 
> Steve Grubb wrote:
> > On Thursday 28 February 2008 21:02:28 Eamon Walsh wrote:
> > 
> > > Steve Grubb wrote:
> > > 
> > > > On Thursday 28 February 2008 13:51:05 Stephen Smalley wrote:
> > > > 
> > > > > On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
> > > > > 
> > > > > > Stephen Smalley wrote:
> > > > > > 
> > > > > > > On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
> > > > > > > 
> > > > > > > > Eamon Walsh wrote:
> > > > > > > > 
> > > > > > > > > The X object manager logs all avc's and status messages (including
> > > > > > > > > the AVC netlink stuff) through the audit system using libaudit \
> > > > > > > > > calls (audit_log_user_avc_message, etc.)
> > > > > > > > > 
> > > > Please tell me they have different record types. Also do you have any
> > > > samples that we can look over to make sure they conform?
> > > > 
> > > type=USER_AVC msg=audit(1204226161.048:268): user pid=21267 uid=0
> > > auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
> > > msg='avc:  denied  { read } for request=X11:QueryPointer
> > > comm=/usr/libexec/at-spi-registryd xdevice="Virtual core pointer"
> > > scontext=staff_u:staff_r:staff_t:s0
> > > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=x_device :
> > > exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
> > > 
> > 
> > comm & xdevice are not escaped the right way. exe is. The audit utilities are 
> > expecting the comm field to be comm="/usr/libexec/at-spi-registryd" in this 
> > case. The standard has been untrusted fields have " " enclosing the field. 
> > Whenever there is a space, double quote, or control character, its ASCII HEX 
> > encoded with no quotes. xdevice is not a field that the audit system knows 
> > about, so we could do something different with it, but comm is known for a 
> > long time and has to follow the standards.
> > 
> 
> Why can't libaudit automatically perform this escaping?

Well, it could. However, this is the API that you currently have:

extern int audit_log_user_avc_message(int audit_fd, int type,
        const char *message, const char *hostname, const char *addr,
        const char *tty, uid_t uid);

The whole avc from msg=  up to the exe= statement comes from libselinux. So, \
libselinux has to do the escaping unless we build a better API for selinux use. I \
could probably expose the function that does the escaping, but I had really wanted to \
try to maintain some consistency in the event by API.


> That way we avoid promulgating this "standard" into every caller of libaudit.
> 
> If everything is going to be name-value based, then I want a libaudit 
> function that takes a list of name/value pairs.

SE Linux is the only user of the audit system that does not follow the name=value \
standard. Would you (and the community) really be willing to convert selinux over to \
that if we have the API for it?  Do you have any suggestions about how you'd like to \
see the new API implemented?


> > Also, is there any information about who caused the event? uid, auid, gid? 
> > Even though this was a denied action, what is the results? Were they 
> > successful (permissive) or was it really a failed and denied request?
> > 
> 
> I don't understand this last part with the result of the action.  How am 
> I supposed to specify this?

res=0 for failed and res=1 for success even though the action was denied. Admittedly, \
the audit avc API does not require this from SE Linux, but I could fix that if we \
change the API to something around name value pairs.


> I need to modify libselinux (again) to support all of this extra uid and 
> hostname stuff getting passed into the logging callback.

Yes, CAPP and other CC protection profiles require that sufficient information be \
logged to determine who did the action that was denied or granted. 

 
> > Would it make sense to fill in the workspace:window information for the 
> > terminal? If X is being used remotely, is the addr & hostname fields correct?
> > 
> 
> The X server has a terminal that it runs on, /dev/tty7 or whatever.  The 
> desktop workspaces and gnome-terminal/xterm pseudo-tty's are external to 
> the X server and it doesn't know about them.

So, should we also make a new field that logs the workspace:window that a request \
came from?

Thanks,
-Steve





      ____________________________________________________________________________________
 Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic