[redhat-lspp] avc_has_perm oddness
Stephen Smalley
sds at tycho.nsa.gov
Mon Jun 26 18:59:04 UTC 2006
On Mon, 2006-06-26 at 14:33 -0400, Matt Anderson wrote:
> In trying to come up with the correct access check for lpq I looked at
> security_compute_av() and avc_has_perm_noaudit() According to the man
> page for security_compute_av the cron source is an example, so I also
> took a look at that.
>
> Using this sample program I always get 0 as the return value, which
> should indicate success, but I get it even when I supply values which
> should fail. The only time avc_has_perm_noaudit() returns -1 is when
> the policy does not allow access to the selinux_netlink_socket tclass.
>
> Looking at the cron source I see a comparison of the av_decision.allowed
> with the access_vector_t that was requested. When I look at the
> av_decision.allowed after calling avc_has_perm I always see 0.
>
> Am I doing something wrong? Does the documentation describe the current
> functionality?
>
> Any help would be appreciated.
dbus is an example of using avc_has_perm(). If permission was denied,
avc_has_perm() returns -1 with errno EACCES if in enforcing mode. Are
you in permissive mode, perchance?
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list