SElinux and its own error code?

SElinux and its own error code?

[Jeffrey Walton]

Hi Guys,

I lost about four hours chasing inaccurate messages from Apache. It
turns out SElinux was denying access, so the EPERM was not really
accurate. But Apache saw EPERM or EACCESS and logged a message related
to Posix permissions.

As far as I know Posix does not authorize use of EPERM or EACCESS for
SElinux. That is, SElinux should not be hijacking the error code.

I'm wondering why there is no error message for SElinux that would
allow application to return a specific error when SElinux denies
access to an object or operation.

Why does SElinux not have its own error code?

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SElinux and its own error code?

[Greg KH]

On Sat, May 02, 2020 at 11:55:02PM -0400, Jeffrey Walton wrote:
> Hi Guys,
> 
> I lost about four hours chasing inaccurate messages from Apache. It
> turns out SElinux was denying access, so the EPERM was not really
> accurate. But Apache saw EPERM or EACCESS and logged a message related
> to Posix permissions.
> 
> As far as I know Posix does not authorize use of EPERM or EACCESS for
> SElinux. That is, SElinux should not be hijacking the error code.
> 
> I'm wondering why there is no error message for SElinux that would
> allow application to return a specific error when SElinux denies
> access to an object or operation.
> 
> Why does SElinux not have its own error code?

Because it does not need it, you do not have the correct permission to
access that resource, so it fails and tells you that.  All is good, and
posix has nothing to do with it at all, sorry.

greg k-h

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SElinux and its own error code?

[Valdis Klētnieks]

[-- Attachment #1.1: Type: text/plain, Size: 1747 bytes --]

On Sat, 02 May 2020 23:55:02 -0400, Jeffrey Walton said:
> I lost about four hours chasing inaccurate messages from Apache. It
> turns out SElinux was denying access, so the EPERM was not really
> accurate. But Apache saw EPERM or EACCESS and logged a message related
> to Posix permissions.

No, you had a permission problem. It isn't strictly confined to only Posix
permissions. Note that if you use ACLs, you'll also get an EPERM if you don't
have access.

> As far as I know Posix does not authorize use of EPERM or EACCESS for
> SElinux. That is, SElinux should not be hijacking the error code.

And where exactly does Posix say that EPERM is *only* for permission issues
with the user/group/world bits? (Hint:  you can get EPERM for a program that
creates a socket and then tries to bind to the broadcast address for the interface,
or if iptables rejected the request).

> I'm wondering why there is no error message for SElinux that would
> allow application to return a specific error when SElinux denies
> access to an object or operation.

And why would that be useful? What could a program do differently
for a SELinux permission error than a Posix permission error?

If the problem is that you don't know about the SELinux error messages,
you should be learning about the auditd subsystem, setroubleshootd,
sealert, and friends.

> Why does SElinux not have its own error code?

Among other things, it means that programs potentially have to have
special-casing in the error handlers, which are *already* code that doesn't
get fully tested in most cases.

And then you have to add code for Smack permission problems, and for
AppArmor permission problems, and Yama permission problems...

Or you can just return -EPERM for all of them.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SElinux and its own error code?

[Jeffrey Walton]

On Sun, May 3, 2020 at 3:50 AM Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
>
> On Sat, 02 May 2020 23:55:02 -0400, Jeffrey Walton said:
> > I lost about four hours chasing inaccurate messages from Apache. It
> > turns out SElinux was denying access, so the EPERM was not really
> > accurate. But Apache saw EPERM or EACCESS and logged a message related
> > to Posix permissions.
>
> No, you had a permission problem. It isn't strictly confined to only Posix
> permissions. Note that if you use ACLs, you'll also get an EPERM if you don't
> have access.
>
> > As far as I know Posix does not authorize use of EPERM or EACCESS for
> > SElinux. That is, SElinux should not be hijacking the error code.
>
> And where exactly does Posix say that EPERM is *only* for permission issues
> with the user/group/world bits? (Hint:  you can get EPERM for a program that
> creates a socket and then tries to bind to the broadcast address for the interface,
> or if iptables rejected the request).

The error codes Posix provides are in the context of of its permission
framework.

> > I'm wondering why there is no error message for SElinux that would
> > allow application to return a specific error when SElinux denies
> > access to an object or operation.
>
> And why would that be useful? What could a program do differently
> for a SELinux permission error than a Posix permission error?

I could get a useful error message and work on the problem, instead of
wasting hours going down rabbit holes.

> If the problem is that you don't know about the SELinux error messages,
> you should be learning about the auditd subsystem, setroubleshootd,
> sealert, and friends.
>
> > Why does SElinux not have its own error code?
>
> Among other things, it means that programs potentially have to have
> special-casing in the error handlers, which are *already* code that doesn't
> get fully tested in most cases.

Why is that a bad thing?

SElinux is an addon. I have no problem checking for seerrno or ESEPERM
for its specific errors.

Jeff

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SElinux and its own error code?

[Greg KH]

On Sun, May 03, 2020 at 03:59:22AM -0400, Jeffrey Walton wrote:
> > Among other things, it means that programs potentially have to have
> > special-casing in the error handlers, which are *already* code that doesn't
> > get fully tested in most cases.
> 
> Why is that a bad thing?

The goal is to not break existing userspace programs.  If the kernel
started making up new error numbers for every new way it comes up with
preventing you from doing something, userspace programs would not like
that at all.

> SElinux is an addon. I have no problem checking for seerrno or ESEPERM
> for its specific errors.

And do you want to check for all of the other different security models
that Valdis listed?  What about the 10 new ones that are coming in the
next 2 years?  After that?

All that matters to your program is you were not allowed access to that
resource, it doesn't matter what type of kernel feature/option caused
that to happen.

thanks,

greg k-h

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: SElinux and its own error code?

[Bernd Petrovitsch]

[-- Attachment #1: Type: text/plain, Size: 1009 bytes --]

Hi all!

On 03/05/2020 03:55, Jeffrey Walton wrote:
[...]
> I lost about four hours chasing inaccurate messages from Apache. It

Only 4hours? ;-) SCNR ...

> turns out SElinux was denying access, so the EPERM was not really
> accurate. But Apache saw EPERM or EACCESS and logged a message related
> to Posix permissions.

It's since day 1 so (and that day is quite sometime ago) - and we all
ran into that at one point.
Sry, I fear you will have to cope with it ...

In an ideal world, the Kernel emits errors via dmesg in such
situations (i.e. the selinux subsystem) - perhaps in some
way configurable (and I had my fair share of grep-ing through
countless lines of selinux error messages to find the really
relevant ones for one given application/process/situation/...).

MfG,
	Bernd

PS: JftSoC: I find the errno's quite coarse too but it's the
    way it is ....
-- 
There is no cloud, just other people computers.
-- https://static.fsf.org/nosvn/stickers/thereisnocloud.svg

[-- Attachment #2: pEpkey.asc --]
[-- Type: application/pgp-keys, Size: 2513 bytes --]

[-- Attachment #3: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies