SE Linux lacks proper user notification for security violations
Stephen Smalley
sds at tycho.nsa.gov
Mon Jun 27 13:49:38 UTC 2005
On Sat, 2005-06-25 at 09:21 -0400, Valdis.Kletnieks at vt.edu wrote:
> If you're not getting a "permission denied", that means that *your* code
> failed to check the return code of a syscall and call perror() (or language
> equivalent) if needed.
To be fair, SELinux will sometimes prevent such error reporting by the
application because it will have already closed stdin/stdout/stderr and
re-opened them to the null device due to a policy denial on the
inherited descriptor at exec time (upon a domain change). Hence, the
only safe approach is to log such error reports to a log file (and
naturally, to ensure that the application has the necessary permissions
to append to the log file).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list