mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-30 07:34:12 +08:00
SELinux: audit failed attempts to set invalid labels
We know that some yum operation is causing CAP_MAC_ADMIN failures. This implies that an RPM is laying down (or attempting to lay down) a file with an invalid label. The problem is that we don't have any information to track down the cause. This patch will cause such a failure to report the failed label in an SELINUX_ERR audit message. This is similar to the SELINUX_ERR reports on invalid transitions and things like that. It should help run down problems on what is trying to set invalid labels in the future. Resulting records look something like: type=AVC msg=audit(1319659241.138:71): avc: denied { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0 type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1319659241.138:71): cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
83d498569e
commit
d6ea83ec68
@ -2792,8 +2792,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
||||
|
||||
rc = security_context_to_sid(value, size, &newsid);
|
||||
if (rc == -EINVAL) {
|
||||
if (!capable(CAP_MAC_ADMIN))
|
||||
if (!capable(CAP_MAC_ADMIN)) {
|
||||
struct audit_buffer *ab;
|
||||
size_t audit_size;
|
||||
const char *str;
|
||||
|
||||
/* We strip a nul only if it is at the end, otherwise the
|
||||
* context contains a nul and we should audit that */
|
||||
str = value;
|
||||
if (str[size - 1] == '\0')
|
||||
audit_size = size - 1;
|
||||
else
|
||||
audit_size = size;
|
||||
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
|
||||
audit_log_format(ab, "op=setxattr invalid_context=");
|
||||
audit_log_n_untrustedstring(ab, value, audit_size);
|
||||
audit_log_end(ab);
|
||||
|
||||
return rc;
|
||||
}
|
||||
rc = security_context_to_sid_force(value, size, &newsid);
|
||||
}
|
||||
if (rc)
|
||||
@ -5335,8 +5352,23 @@ static int selinux_setprocattr(struct task_struct *p,
|
||||
}
|
||||
error = security_context_to_sid(value, size, &sid);
|
||||
if (error == -EINVAL && !strcmp(name, "fscreate")) {
|
||||
if (!capable(CAP_MAC_ADMIN))
|
||||
if (!capable(CAP_MAC_ADMIN)) {
|
||||
struct audit_buffer *ab;
|
||||
size_t audit_size;
|
||||
|
||||
/* We strip a nul only if it is at the end, otherwise the
|
||||
* context contains a nul and we should audit that */
|
||||
if (str[size - 1] == '\0')
|
||||
audit_size = size - 1;
|
||||
else
|
||||
audit_size = size;
|
||||
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
|
||||
audit_log_format(ab, "op=fscreate invalid_context=");
|
||||
audit_log_n_untrustedstring(ab, value, audit_size);
|
||||
audit_log_end(ab);
|
||||
|
||||
return error;
|
||||
}
|
||||
error = security_context_to_sid_force(value, size,
|
||||
&sid);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user