linux/security/selinux
Eric Paris b782e0a68d SELinux: special dontaudit for access checks
Currently there are a number of applications (nautilus being the main one) which
calls access() on files in order to determine how they should be displayed.  It
is normal and expected that nautilus will want to see if files are executable
or if they are really read/write-able.  access() should return the real
permission.  SELinux policy checks are done in access() and can result in lots
of AVC denials as policy denies RWX on files which DAC allows.  Currently
SELinux must dontaudit actual attempts to read/write/execute a file in
order to silence these messages (and not flood the logs.)  But dontaudit rules
like that can hide real attacks.  This patch addes a new common file
permission audit_access.  This permission is special in that it is meaningless
and should never show up in an allow rule.  Instead the only place this
permission has meaning is in a dontaudit rule like so:

dontaudit nautilus_t sbin_t:file audit_access

With such a rule if nautilus just checks access() we will still get denied and
thus userspace will still get the correct answer but we will not log the denial.
If nautilus attempted to actually perform one of the forbidden actions
(rather than just querying access(2) about it) we would still log a denial.
This type of dontaudit rule should be used sparingly, as it could be a
method for an attacker to probe the system permissions without detection.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:07 +10:00
..
include SELinux: special dontaudit for access checks 2010-08-02 15:35:07 +10:00
ss SELinux: break ocontext reading into a separate function 2010-08-02 15:35:06 +10:00
.gitignore SELinux: add .gitignore files for dynamic classes 2009-10-24 09:42:27 +08:00
avc.c SELinux: special dontaudit for access checks 2010-08-02 15:35:07 +10:00
exports.c Creds: creds->security can be NULL is selinux is disabled 2009-09-14 12:34:07 +10:00
hooks.c SELinux: special dontaudit for access checks 2010-08-02 15:35:07 +10:00
Kconfig
Makefile selinux: generate flask headers during kernel build 2009-10-07 21:56:44 +11:00
netif.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
netlabel.c Merge branch 'master' into next 2010-05-06 10:56:07 +10:00
netlink.c Merge branch 'master' into next 2010-05-06 10:56:07 +10:00
netnode.c selinux: remove all rcu head initializations 2010-08-02 15:33:35 +10:00
netport.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nlmsgtab.c Selinux: Remove unused headers skbuff.h in selinux/nlmsgtab.c 2010-03-04 08:51:06 +11:00
selinuxfs.c selinux: use generic_file_llseek 2010-08-02 15:34:59 +10:00
xfrm.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00