[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: Permissive mode for xace is broken.
From: Steve G <linux_4ever () yahoo ! com>
Date: 2008-03-24 15:55:13
Message-ID: 729568.16778.qm () web51505 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]
----- Original Message ----
> From: Eamon Walsh <ewalsh@tycho.nsa.gov>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>; Daniel J Walsh <dwalsh@redhat.com>; SE \
> Linux <selinux@tycho.nsa.gov>
> Sent: Wednesday, March 19, 2008 11:56:00 PM
> Subject: Re: Permissive mode for xace is broken.
>
> Steve Grubb wrote:
> > On Thursday 28 February 2008 21:02:28 Eamon Walsh wrote:
> >
> > > Steve Grubb wrote:
> > >
> > > > On Thursday 28 February 2008 13:51:05 Stephen Smalley wrote:
> > > >
> > > > > On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote:
> > > > >
> > > > > > Stephen Smalley wrote:
> > > > > >
> > > > > > > On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
> > > > > > >
> > > > > > > > Eamon Walsh wrote:
> > > > > > > >
> > > > > > > > > The X object manager logs all avc's and status messages (including
> > > > > > > > > the AVC netlink stuff) through the audit system using libaudit \
> > > > > > > > > calls (audit_log_user_avc_message, etc.)
> > > > > > > > >
> > > > Please tell me they have different record types. Also do you have any
> > > > samples that we can look over to make sure they conform?
> > > >
> > > type=USER_AVC msg=audit(1204226161.048:268): user pid=21267 uid=0
> > > auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
> > > msg='avc: denied { read } for request=X11:QueryPointer
> > > comm=/usr/libexec/at-spi-registryd xdevice="Virtual core pointer"
> > > scontext=staff_u:staff_r:staff_t:s0
> > > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=x_device :
> > > exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
> > >
> >
> > comm & xdevice are not escaped the right way. exe is. The audit utilities are
> > expecting the comm field to be comm="/usr/libexec/at-spi-registryd" in this
> > case. The standard has been untrusted fields have " " enclosing the field.
> > Whenever there is a space, double quote, or control character, its ASCII HEX
> > encoded with no quotes. xdevice is not a field that the audit system knows
> > about, so we could do something different with it, but comm is known for a
> > long time and has to follow the standards.
> >
>
> Why can't libaudit automatically perform this escaping?
Well, it could. However, this is the API that you currently have:
extern int audit_log_user_avc_message(int audit_fd, int type,
const char *message, const char *hostname, const char *addr,
const char *tty, uid_t uid);
The whole avc from msg= up to the exe= statement comes from libselinux. So, \
libselinux has to do the escaping unless we build a better API for selinux use. I \
could probably expose the function that does the escaping, but I had really wanted to \
try to maintain some consistency in the event by API.
> That way we avoid promulgating this "standard" into every caller of libaudit.
>
> If everything is going to be name-value based, then I want a libaudit
> function that takes a list of name/value pairs.
SE Linux is the only user of the audit system that does not follow the name=value \
standard. Would you (and the community) really be willing to convert selinux over to \
that if we have the API for it? Do you have any suggestions about how you'd like to \
see the new API implemented?
> > Also, is there any information about who caused the event? uid, auid, gid?
> > Even though this was a denied action, what is the results? Were they
> > successful (permissive) or was it really a failed and denied request?
> >
>
> I don't understand this last part with the result of the action. How am
> I supposed to specify this?
res=0 for failed and res=1 for success even though the action was denied. Admittedly, \
the audit avc API does not require this from SE Linux, but I could fix that if we \
change the API to something around name value pairs.
> I need to modify libselinux (again) to support all of this extra uid and
> hostname stuff getting passed into the logging callback.
Yes, CAPP and other CC protection profiles require that sufficient information be \
logged to determine who did the action that was denied or granted.
> > Would it make sense to fill in the workspace:window information for the
> > terminal? If X is being used remotely, is the addr & hostname fields correct?
> >
>
> The X server has a terminal that it runs on, /dev/tty7 or whatever. The
> desktop workspaces and gnome-terminal/xterm pseudo-tty's are external to
> the X server and it doesn't know about them.
So, should we also make a new field that logs the workspace:window that a request \
came from?
Thanks,
-Steve
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic