SELinux: audit failed attempts to set invalid labels

We know that some yum operation is causing CAP_MAC_ADMIN failures. This implies that an RPM is laying down (or attempting to lay down) a file with an invalid label. The problem is that we don't have any information to track down the cause. This patch will cause such a failure to report the failed label in an SELINUX_ERR audit message. This is similar to the SELINUX_ERR reports on invalid transitions and things like that. It should help run down problems on what is trying to set invalid labels in the future. Resulting records look something like: type=AVC msg=audit(1319659241.138:71): avc: denied { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0 type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1319659241.138:71): cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-04-04 13:45:49 -0400
committer: Eric Paris <eparis@redhat.com> 2012-04-09 12:22:56 -0400
commit: d6ea83ec6864e9297fa8b00ec3dae183413a90e3 (patch)
tree: 8a64f20f1a930d8f6ecd5ce0368c55a0c83f49dc /security
parent: 83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 (diff)
1 files changed, 34 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dc15f16a357c..c3ee902306d8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2792,8 +2792,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        rc = security_context_to_sid(value, size, &newsid);
        if (rc == -EINVAL) {
-                if (!capable(CAP_MAC_ADMIN))
+                if (!capable(CAP_MAC_ADMIN)) {
+                        struct audit_buffer *ab;
+                        size_t audit_size;
+                        const char *str;
+                        /* We strip a nul only if it is at the end, otherwise the
+                         * context contains a nul and we should audit that */
+                        str = value;
+                        if (str[size - 1] == '\0')
+                                audit_size = size - 1;
+                        else
+                                audit_size = size;
+                        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
+                        audit_log_format(ab, "op=setxattr invalid_context=");
+                        audit_log_n_untrustedstring(ab, value, audit_size);
+                        audit_log_end(ab);
                        return rc;
+                }
                rc = security_context_to_sid_force(value, size, &newsid);
        }
        if (rc)
@@ -5335,8 +5352,23 @@ static int selinux_setprocattr(struct task_struct *p,
                }
                error = security_context_to_sid(value, size, &sid);
                if (error == -EINVAL && !strcmp(name, "fscreate")) {
-                        if (!capable(CAP_MAC_ADMIN))
+                        if (!capable(CAP_MAC_ADMIN)) {
+                                struct audit_buffer *ab;
+                                size_t audit_size;
+                                /* We strip a nul only if it is at the end, otherwise the
+                                 * context contains a nul and we should audit that */
+                                if (str[size - 1] == '\0')
+                                        audit_size = size - 1;
+                                else
+                                        audit_size = size;
+                                ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
+                                audit_log_format(ab, "op=fscreate invalid_context=");
+                                audit_log_n_untrustedstring(ab, value, audit_size);
+                                audit_log_end(ab);
                                return error;
+                        }
                        error = security_context_to_sid_force(value, size,
                                                              &sid);
                }
author	Eric Paris <eparis@redhat.com>	2012-04-04 13:45:49 -0400
committer	Eric Paris <eparis@redhat.com>	2012-04-09 12:22:56 -0400
commit	d6ea83ec6864e9297fa8b00ec3dae183413a90e3 (patch)
tree	8a64f20f1a930d8f6ecd5ce0368c55a0c83f49dc /security
parent	83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dc15f16a357c..c3ee902306d8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -2792,8 +2792,25 @@ static int selinux_inode_setxattr(struct dentry dentry, const char name,
2792		2792
2793	rc = security_context_to_sid(value, size, &newsid);	2793	rc = security_context_to_sid(value, size, &newsid);
2794	if (rc == -EINVAL) {	2794	if (rc == -EINVAL) {
2795	if (!capable(CAP_MAC_ADMIN))	2795	if (!capable(CAP_MAC_ADMIN)) {
		2796	struct audit_buffer *ab;
		2797	size_t audit_size;
		2798	const char *str;
		2799
		2800	/* We strip a nul only if it is at the end, otherwise the
		2801	* context contains a nul and we should audit that */
		2802	str = value;
		2803	if (str[size - 1] == '\0')
		2804	audit_size = size - 1;
		2805	else
		2806	audit_size = size;
		2807	ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
		2808	audit_log_format(ab, "op=setxattr invalid_context=");
		2809	audit_log_n_untrustedstring(ab, value, audit_size);
		2810	audit_log_end(ab);
		2811
2796	return rc;	2812	return rc;
		2813	}
2797	rc = security_context_to_sid_force(value, size, &newsid);	2814	rc = security_context_to_sid_force(value, size, &newsid);
2798	}	2815	}
2799	if (rc)	2816	if (rc)
@@ -5335,8 +5352,23 @@ static int selinux_setprocattr(struct task_struct *p,
5335	}	5352	}
5336	error = security_context_to_sid(value, size, &sid);	5353	error = security_context_to_sid(value, size, &sid);
5337	if (error == -EINVAL && !strcmp(name, "fscreate")) {	5354	if (error == -EINVAL && !strcmp(name, "fscreate")) {
5338	if (!capable(CAP_MAC_ADMIN))	5355	if (!capable(CAP_MAC_ADMIN)) {
		5356	struct audit_buffer *ab;
		5357	size_t audit_size;
		5358
		5359	/* We strip a nul only if it is at the end, otherwise the
		5360	* context contains a nul and we should audit that */
		5361	if (str[size - 1] == '\0')
		5362	audit_size = size - 1;
		5363	else
		5364	audit_size = size;
		5365	ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
		5366	audit_log_format(ab, "op=fscreate invalid_context=");
		5367	audit_log_n_untrustedstring(ab, value, audit_size);
		5368	audit_log_end(ab);
		5369
5339	return error;	5370	return error;
		5371	}
5340	error = security_context_to_sid_force(value, size,	5372	error = security_context_to_sid_force(value, size,
5341	&sid);	5373	&sid);
5342	}	5374	}