diff options
| author |   Ondrej Mosnacek <omosnace@redhat.com> | 2019-01-25 11:06:51 +0100 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2019-01-25 17:31:14 -0500 |
| commit | fede148324c34360ce8c30a9a5bdfac5574b2a59 (patch) | |
| tree | 6908514ddcc623ad8776f9f58897ee1d07c8f8f1 /security/selinux/avc.c | |
| parent | selinux: replace some BUG_ON()s with a WARN_ON() (diff) | |
| download | linux-dev-fede148324c34360ce8c30a9a5bdfac5574b2a59.tar.xz linux-dev-fede148324c34360ce8c30a9a5bdfac5574b2a59.zip | |
selinux: log invalid contexts in AVCs
In case a file has an invalid context set, in an AVC record generated
upon access to such file, the target context is always reported as
unlabeled. This patch adds new optional fields to the AVC record
(srawcon and trawcon) that report the actual context string if it
differs from the one reported in scontext/tcontext. This is useful for
diagnosing SELinux denials involving invalid contexts.
To trigger an AVC that illustrates this situation:
# setenforce 0
# touch /tmp/testfile
# setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile
# runcon system_u:system_r:sshd_t:s0 cat /tmp/testfile
AVC before:
type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1
AVC after:
type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 trawcon=system_u:object_r:banana_t:s0
Note that it is also possible to encounter this situation with the
'scontext' field - e.g. when a new policy is loaded while a process is
running, whose context is not valid in the new policy.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
Cc: Daniel Walsh <dwalsh@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/avc.c')
| -rw-r--r-- | security/selinux/avc.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 5ebad47391c9..3a27418b20d7 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -734,6 +734,21 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + + /* in case of invalid context report also the actual context string */ + rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, + &scontext_len); + if (!rc && scontext) { + audit_log_format(ab, " srawcon=%s", scontext); + kfree(scontext); + } + + rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, + &scontext_len); + if (!rc && scontext) { + audit_log_format(ab, " trawcon=%s", scontext); + kfree(scontext); + } } /* This is the slow part of avc audit with big stack footprint */ |