[redhat-lspp] SE Linux avc denial and syscall successful
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 8 15:43:43 UTC 2005
On Tue, 2005-11-08 at 10:01 -0500, Steve Grubb wrote:
> Hi,
>
> ausearch -m AVC -sv yes -sc stat
>
> time->Mon Nov 7 08:16:13 2005
> type=PATH msg=audit(1131369373.260:35): item=0
> name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=7065730
> dev=08:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
> type=CWD msg=audit(1131369373.260:35): cwd="/var/spool/postfix"
> type=AVC_PATH msg=audit(1131369373.260:35):
> path="/usr/share/man/man1/mailq.postfix.1.gz"
> type=SYSCALL msg=audit(1131369373.260:35): arch=c000003e syscall=4 success=yes
> exit=0 a0=6ce940 a1=7fffff96cf40 a2=7fffff96cf40 a3=0 items=1 pid=2072
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="sh" exe="/bin/bash"
> type=AVC msg=audit(1131369373.260:35): avc: denied { getattr } for pid=2072
> comm="sh" name="mailq.postfix.1.gz" dev=sda7 ino=7065730
> scontext=system_u:system_r:postfix_master_t:s0
> tcontext=system_u:object_r:man_t:s0 tclass=file
>
> There seems to be a problem in either policy, audit code, or the kernel code
> for stat syscalls. When I run the above search on my x86_64 machine, I am
> finding that the syscall reported success, yet there was an AVC denial. I do
> not run my machines in permissive mode.
>
> Also look at "aureport -a --success -i | grep -v granted"
Hmm...well, I don't have x86_64, but running selinux tests here on x86,
I do see proper denial of stat attempts, with the syscall failing as
expected. As to the latter, there are going to be some AVC denials that
do not result in syscall failure (e.g. inheritance checks on execve).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list