Re: audit capability checks not audited
On Tuesday 17 May 2005 08:27, Stephen Smalley wrote:
We're starting to see bug reports of SELinux denials with no
audit
messages in FC4/devel due to the fact that the audit capabilities are
checked on the receive side via a direct cap_raised() test on the
effective capability set saved earlier by the netlink_send hook.
Is the bug report in bugzilla or a mail list? I'd like to see it to figure out
what best to do.
This manifests as programs failing in enforcing mode and working in
permissive mode, but no audit messages being generated.
Was the program making calls into the audit system? pam is the only thing that
does that in the public. If there's a problem with pam, I need to know.
I know there was an earlier rfc/patch by Chris to allow moving the
netlink
message checking to the send side via a new callback, which would allow us
to perform a traditional capable() call rather than a direct cap_raised()
test and thus have the usual auditing behavior for SELinux there. Is
that stalled?
What are we doing wrong? Shouldn't it be a matter of calling the right selinux
function for a capabilities check after the DAC checks? That seems simpler
and has less impact on user space.
-Steve