aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-04-04 13:45:49 -0400
committerEric Paris <eparis@redhat.com>2012-04-09 12:22:56 -0400
commitd6ea83ec6864e9297fa8b00ec3dae183413a90e3 (patch)
tree8a64f20f1a930d8f6ecd5ce0368c55a0c83f49dc /security/selinux/hooks.c
parent83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 (diff)
SELinux: audit failed attempts to set invalid labels
We know that some yum operation is causing CAP_MAC_ADMIN failures. This implies that an RPM is laying down (or attempting to lay down) a file with an invalid label. The problem is that we don't have any information to track down the cause. This patch will cause such a failure to report the failed label in an SELINUX_ERR audit message. This is similar to the SELINUX_ERR reports on invalid transitions and things like that. It should help run down problems on what is trying to set invalid labels in the future. Resulting records look something like: type=AVC msg=audit(1319659241.138:71): avc: denied { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0 type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1319659241.138:71): cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c36
1 files changed, 34 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dc15f16a357c..c3ee902306d8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2792,8 +2792,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2792 2792
2793 rc = security_context_to_sid(value, size, &newsid); 2793 rc = security_context_to_sid(value, size, &newsid);
2794 if (rc == -EINVAL) { 2794 if (rc == -EINVAL) {
2795 if (!capable(CAP_MAC_ADMIN)) 2795 if (!capable(CAP_MAC_ADMIN)) {
2796 struct audit_buffer *ab;
2797 size_t audit_size;
2798 const char *str;
2799
2800 /* We strip a nul only if it is at the end, otherwise the
2801 * context contains a nul and we should audit that */
2802 str = value;
2803 if (str[size - 1] == '\0')
2804 audit_size = size - 1;
2805 else
2806 audit_size = size;
2807 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2808 audit_log_format(ab, "op=setxattr invalid_context=");
2809 audit_log_n_untrustedstring(ab, value, audit_size);
2810 audit_log_end(ab);
2811
2796 return rc; 2812 return rc;
2813 }
2797 rc = security_context_to_sid_force(value, size, &newsid); 2814 rc = security_context_to_sid_force(value, size, &newsid);
2798 } 2815 }
2799 if (rc) 2816 if (rc)
@@ -5335,8 +5352,23 @@ static int selinux_setprocattr(struct task_struct *p,
5335 } 5352 }
5336 error = security_context_to_sid(value, size, &sid); 5353 error = security_context_to_sid(value, size, &sid);
5337 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5354 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5338 if (!capable(CAP_MAC_ADMIN)) 5355 if (!capable(CAP_MAC_ADMIN)) {
5356 struct audit_buffer *ab;
5357 size_t audit_size;
5358
5359 /* We strip a nul only if it is at the end, otherwise the
5360 * context contains a nul and we should audit that */
5361 if (str[size - 1] == '\0')
5362 audit_size = size - 1;
5363 else
5364 audit_size = size;
5365 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5366 audit_log_format(ab, "op=fscreate invalid_context=");
5367 audit_log_n_untrustedstring(ab, value, audit_size);
5368 audit_log_end(ab);
5369
5339 return error; 5370 return error;
5371 }
5340 error = security_context_to_sid_force(value, size, 5372 error = security_context_to_sid_force(value, size,
5341 &sid); 5373 &sid);
5342 } 5374 }