[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SE Linux lacks proper user notification for security violations

From: Stephen Smalley <sds tycho nsa gov>
To: Valdis Kletnieks vt edu
Cc: fedora-selinux-list redhat com
Subject: Re: SE Linux lacks proper user notification for security violations
Date: Mon, 27 Jun 2005 09:49:38 -0400

On Sat, 2005-06-25 at 09:21 -0400, Valdis Kletnieks vt edu wrote:
> If you're not getting a "permission denied", that means that *your* code
> failed to check the return code of a syscall and call perror() (or language
> equivalent) if needed.

To be fair, SELinux will sometimes prevent such error reporting by the
application because it will have already closed stdin/stdout/stderr and
re-opened them to the null device due to a policy denial on the
inherited descriptor at exec time (upon a domain change).  Hence, the
only safe approach is to log such error reports to a log file (and
naturally, to ensure that the application has the necessary permissions
to append to the log file).

-- 
Stephen Smalley
National Security Agency

References:
- SE Linux lacks proper user notification for security violations
  - From: Tracy R Reed
- Re: SE Linux lacks proper user notification for security violations
  - From: Valdis . Kletnieks

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]