selinux/python/audit2allow
Stephen Smalley 7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00
..
.gitignore Move policycoreutils/sepolgen-ifgen into python/audit2allow. 2016-11-16 11:19:51 -05:00
Makefile Move policycoreutils/sepolgen-ifgen into python/audit2allow. 2016-11-16 11:19:51 -05:00
audit2allow libsepol,libselinux,audit2allow: teach audit2why about type bounds failures 2016-11-29 15:53:59 -05:00
audit2allow.1 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
audit2why Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
audit2why.1 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
sepolgen-ifgen Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
sepolgen-ifgen-attr-helper.c Move policycoreutils/sepolgen-ifgen into python/audit2allow. 2016-11-16 11:19:51 -05:00
test.log Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00
test_audit2allow.py Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 2016-11-16 11:19:50 -05:00