OBJ_PID records
Steve Grubb
sgrubb at redhat.com
Tue Oct 2 20:20:11 UTC 2007
On Monday 01 October 2007 14:52:25 Alexander Viro wrote:
> On Fri, Sep 28, 2007 at 09:39:57AM -0400, Steve Grubb wrote:
> > On Friday 28 September 2007 09:31:09 Steve Grubb wrote:
> > > > > type=OBJ_PID msg=audit(09/20/2007 15:29:16.355:12775) : opid=2287 ?
> > > > > obj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
> > > >
> > > > Er... And what has pid 2287 on that box?
> > >
> > > I am reasonably certain that its gdm given the selinux label.
> >
> > Scratch that, I forgot to include "server" in my grep. That looks like
> > Xorg's process label. So, its the X server.
>
> OK, I think I see what's going on:
> a) we are too cautious about audit_signals; need to exclude rules
> that have AUDIT_DEV{MAJOR,MINOR}, AUDIT_INODE, AUDIT_WATCH, AUDIT_PERM.
> None of those will trigger on signal-sending syscall
> b) more important, we should not touch async signals - basically,
> when kernel decides to send SIGIO/SIGURG we obviously should not screw with
> current->audit_context. Note that we already have that check, right in the
> caller of audit_signal_info() (that is, when we decide if current-based
> permissions checks apply). So we simply need to move audit_signal_info()
> a bit down - after we'd decided that it's not an async signal and before
> the permission checks. Patch below does just that.
This seems to fix it on my machine. Reloaded policy many times and haven't
seen a recurrance.
Acked-by: Steve Grubb <sgrubb at redhat.com>
> diff -urN linux-2.6.22.x86_64/kernel/signal.c foo/kernel/signal.c
> --- linux-2.6.22.x86_64/kernel/signal.c 2007-10-01 13:18:10.000000000 -0400
> +++ foo/kernel/signal.c 2007-10-01 14:45:35.000000000 -0400
> @@ -532,18 +532,18 @@
> if (!valid_signal(sig))
> return error;
>
> - error = audit_signal_info(sig, t); /* Let audit system see the signal */
> - if (error)
> - return error;
> -
> - error = -EPERM;
> - if ((info == SEND_SIG_NOINFO || (!is_si_special(info) &&
> SI_FROMUSER(info))) - && ((sig != SIGCONT) ||
> - (process_session(current) != process_session(t)))
> - && (current->euid ^ t->suid) && (current->euid ^ t->uid)
> - && (current->uid ^ t->suid) && (current->uid ^ t->uid)
> - && !capable(CAP_KILL))
> + if (info == SEND_SIG_NOINFO || (!is_si_special(info) &&
> SI_FROMUSER(info))) { + error = audit_signal_info(sig, t); /* Let audit
> system see the signal */ + if (error)
> + return error;
> + error = -EPERM;
> + if (((sig != SIGCONT) ||
> + (process_session(current) != process_session(t)))
> + && (current->euid ^ t->suid) && (current->euid ^ t->uid)
> + && (current->uid ^ t->suid) && (current->uid ^ t->uid)
> + && !capable(CAP_KILL))
> return error;
> + }
>
> return security_task_kill(t, info, sig, 0);
> }
More information about the Linux-audit
mailing list