Write denied, but no write attempted!?!
Stephen Smalley
sds at tycho.nsa.gov
Mon Sep 17 13:16:58 UTC 2007
On Sun, 2007-09-16 at 22:42 +0200, Göran Uddeborg wrote:
> I'm using xdm rather than gdm. SELinux prevents
> /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log
> (var_log_t). It happens once every time someone logs in or out. See
> the attached mail from SETroubleshoot for an example.
>
> To understand what is going on, I tried to strace the processes. But
> pam_console_apply doesn't attempt to write anything at all! See the
> attached (compressed) strace from pid 4480, the process mentioned in
> the SETroubleshoot mail.
>
> Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that
> the open fd is inherited by pam_console_apply. But if the inheritance
> itself was disallowed, wouldn't it be a "use" that would be denied by
> SELinux rather than a "write"?
>
> What am I missing?
>
> (The system is not up-to-date. It is possible this message would go
> away with an upgrade. I'm not looking for a way to get rid of the
> message here, I'm trying to understand what is going on.)
SELinux rechecks access to open files upon execve if the security
context of the process is changing, and when descriptors are passed
across local IPC. That revalidation includes both the fd use check (can
the process use an open file description created by another security
context, potentially communicating/interfering with that context by
means of the open file's seek pointer and flags) and the file read/write
checks (can the process access the file in a manner consistent with the
open file description)?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list