Re: audit bug in fd handling

[Stephen Smalley <sds@tislabs.com>]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 519 bytes --]


On Wed, 10 Jul 2002, Russell Coker wrote:

> It seems that when a file handle open read/write is inherited by a domain
> that is permitted read access only, an error about write access will be
> logged - even if there is a dontaudit rule!

The attached patch (also committed to the sourceforge CVS tree) fixes this
bug in the auditdeny logic.  To apply, save the patch to
~/auditdeny.patch, cd lsm-2.4, and patch -p0 < ~/auditdeny.patch.  Then,
rebuild your kernel.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 1116 bytes --]

Index: security/selinux/include/linux/flask/avc.h
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.4/security/selinux/include/linux/flask/avc.h,v
retrieving revision 1.3
diff -u -r1.3 avc.h
--- security/selinux/include/linux/flask/avc.h	3 Jun 2002 13:46:51 -0000	1.3
+++ security/selinux/include/linux/flask/avc.h	10 Jul 2002 13:03:52 -0000
@@ -214,6 +214,7 @@
 	unsigned long	flags;
 	struct avc_entry entry;
 	__u32 seqno;
+	access_vector_t denied;
 
 	spin_lock_irqsave(&avc_lock, flags);
 	avc_cache_stats_incr(AVC_ENTRY_LOOKUPS);
@@ -254,9 +255,11 @@
 		ae = aeref->ae;
 	}
 
-	if (!requested || (requested & ae->allowed) != requested) {
-		if (!requested || (requested & ae->auditdeny))
-			avc_audit(ssid, tsid, tclass, requested & ~(ae->allowed), ae,
+	denied = requested & ~(ae->allowed);
+
+	if (!requested || denied) {
+		if (!requested || (denied & ae->auditdeny))
+			avc_audit(ssid, tsid, tclass, denied, ae,
 				  AVC_AUDITDENY, auditdata);
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 		if (avc_debug_always_allow) {