• Ondrej Mosnacek's avatar
    selinux: log invalid contexts in AVCs · fede1483
    Ondrej Mosnacek authored
    In case a file has an invalid context set, in an AVC record generated
    upon access to such file, the target context is always reported as
    unlabeled. This patch adds new optional fields to the AVC record
    (srawcon and trawcon) that report the actual context string if it
    differs from the one reported in scontext/tcontext. This is useful for
    diagnosing SELinux denials involving invalid contexts.
    
    To trigger an AVC that illustrates this situation:
    
        # setenforce 0
        # touch /tmp/testfile
        # setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile
        # runcon system_u:system_r:sshd_t:s0 cat /tmp/testfile
    
    AVC before:
    
    type=AVC msg=audit(1547801083.248:11): avc:  denied  { open } for  pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1
    
    AVC after:
    
    type=AVC msg=audit(1547801083.248:11): avc:  denied  { open } for  pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 trawcon=system_u:object_r:banana_t:s0
    
    Note that it is also possible to encounter this situation with the
    'scontext' field - e.g. when a new policy is loaded while a process is
    running, whose context is not valid in the new policy.
    
    Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
    
    Cc: Daniel Walsh <dwalsh@redhat.com>
    Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
    Reviewed-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    fede1483
avc.c 32.2 KB