SELinux cache.

SELinux cache.

[JanuGerman]

Hi Every one,

  SELinux maintains a cache called "access vector
cache (avc)" for caching the security server
decisions. Beside the avc, is there is any other cache
as well, which is maintained outside the domain of
Linux kernel or SElinux?.

The book "SELinux by example" have mentioned a cache
in the userspace (library libselinux), but
unfortunately, i was not able to locate this library.

Currently, my selinux is running in "Enforcing" mode,
with "targeted" policy. Some times, it executes the
functions within the selinux/hooks.c such as
"may_create", "may_link", "file_has_perm" and some
times not. The avc calls are normally executed within
these methods. So, logically, these methods should be
consulted, before examining the avc for a cache
miss/hit. 

Am, i running SELInux in the wrong mode, i mean, at
the moment it is "targeted", shall it be "strict" in
order to execute these "hooks.c" functions each time a
permission check is made, or there is another cache
maintained outside the SELInux domain bounderies.


Thanking you in advance.
Best,
JG





	
	
		
___________________________________________________________ 
New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux cache.

[Stephen Smalley]

On Tue, 2007-03-27 at 10:31 +0100, JanuGerman wrote:
> Hi Every one,
> 
>   SELinux maintains a cache called "access vector
> cache (avc)" for caching the security server
> decisions. Beside the avc, is there is any other cache
> as well, which is maintained outside the domain of
> Linux kernel or SElinux?.
> 
> The book "SELinux by example" have mentioned a cache
> in the userspace (library libselinux), but
> unfortunately, i was not able to locate this library.
> 
> Currently, my selinux is running in "Enforcing" mode,
> with "targeted" policy. Some times, it executes the
> functions within the selinux/hooks.c such as
> "may_create", "may_link", "file_has_perm" and some
> times not. The avc calls are normally executed within
> these methods. So, logically, these methods should be
> consulted, before examining the avc for a cache
> miss/hit. 
> 
> Am, i running SELInux in the wrong mode, i mean, at
> the moment it is "targeted", shall it be "strict" in
> order to execute these "hooks.c" functions each time a
> permission check is made, or there is another cache
> maintained outside the SELInux domain bounderies.

The hook functions are always called.  What makes you think they aren't?
Easiest way to see the calls is to add auditallow rules to your policy,
although this will generate a lot of audit messages.  Example:
$ cat test.te
policy_module(test, 1.0)

require {
        attribute domain;
        attribute file_type;
}

auditallow domain file_type:dir_file_class_set *;
$ make -f /usr/share/selinux/devel/Makefile
$ su -
# semodule -i test.pp
# tail -f /var/log/audit/audit.log

But be warned that this will generate a lot of audit.
To remove, use:
# semodule -r test

There is a userspace AVC in libselinux for use by userspace object
managers (applications that enforce policy over their own objects and
operations not directly visible to the kernel), but it isn't relevant to
the kernel.  If you have SELinux on your system, you have libselinux
already, e.g. /lib/libselinux.so.1.  The sources can be found in the
usual places.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux cache.

[JanuGerman]

Hi Stephen,


> $ cat test.te
> policy_module(test, 1.0)
> 
> require {
>         attribute domain;
>         attribute file_type;
> }
> 
> auditallow domain file_type:dir_file_class_set *;
> $ make -f /usr/share/selinux/devel/Makefile
> $ su -
> # semodule -i test.pp
> # tail -f /var/log/audit/audit.log
> 
> But be warned that this will generate a lot of
> audit.
> To remove, use:
> # semodule -r test
> 

I am having some problems now with this module. I
added this module, after restart, there were alot of
messages, saying "audit ... maximum size=256 size
exceeded". The messages were not stopping so, I
rebooted the system with selinux disabled and tried to
remove this module.

But now, when i reboot, the system hangs at starting
"udev" service MAKEDEV: mkdir: FILE exists ...saying
an error occured during file system check, dropping
you to shell, ... give root password for maintaine....

My system have e compiled kernels, but non of them is
rebooting with SElinux.

Can i recover the SELinux again while rebooted without
SElinux? or this means, the system is not usable any
more.

Thanks,
JG


		
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux cache.

[Stephen Smalley]

On Thu, 2007-03-29 at 14:33 +0100, JanuGerman wrote:
> Hi Stephen,
> 
> 
> > $ cat test.te
> > policy_module(test, 1.0)
> > 
> > require {
> >         attribute domain;
> >         attribute file_type;
> > }
> > 
> > auditallow domain file_type:dir_file_class_set *;
> > $ make -f /usr/share/selinux/devel/Makefile
> > $ su -
> > # semodule -i test.pp
> > # tail -f /var/log/audit/audit.log
> > 
> > But be warned that this will generate a lot of
> > audit.
> > To remove, use:
> > # semodule -r test
> > 
> 
> I am having some problems now with this module. I
> added this module, after restart, there were alot of
> messages, saying "audit ... maximum size=256 size
> exceeded".

Curious - I was able to insert it on a FC6 system, generating some audit
data, and then removed it.  But I wouldn't recommend trying to boot up
with it enabled - as I said, it will generate a ton of audit data since
it would trigger an audit message on every allowed file access.  Not
sure what limitations auditd imposes - I haven't seen that maximum size
message before.

>  The messages were not stopping so, I
> rebooted the system with selinux disabled and tried to
> remove this module.

You said "tried to remove this module."  Does that mean you did or did
not successfully run "semodule -r test"?  Should have been possible to
do without disabling SELinux; you could have booted single user.

> But now, when i reboot, the system hangs at starting
> "udev" service MAKEDEV: mkdir: FILE exists ...saying
> an error occured during file system check, dropping
> you to shell, ... give root password for maintaine....
> 
> My system have e compiled kernels, but non of them is
> rebooting with SElinux.
> 
> Can i recover the SELinux again while rebooted without
> SElinux? or this means, the system is not usable any
> more.

Boot with 'enforcing=0 single', then run 'fixfiles relabel' if it
doesn't automatically relabel, then reboot normally.

Disabling SELinux will leave you with unlabeled files that need to be
relabeled.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.