[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] avc_has_perm oddness
- From: Stephen Smalley <sds tycho nsa gov>
- To: Matt Anderson <mra hp com>
- Cc: redhat-lspp redhat com
- Subject: Re: [redhat-lspp] avc_has_perm oddness
- Date: Mon, 26 Jun 2006 14:59:04 -0400
On Mon, 2006-06-26 at 14:33 -0400, Matt Anderson wrote:
> In trying to come up with the correct access check for lpq I looked at
> security_compute_av() and avc_has_perm_noaudit() According to the man
> page for security_compute_av the cron source is an example, so I also
> took a look at that.
>
> Using this sample program I always get 0 as the return value, which
> should indicate success, but I get it even when I supply values which
> should fail. The only time avc_has_perm_noaudit() returns -1 is when
> the policy does not allow access to the selinux_netlink_socket tclass.
>
> Looking at the cron source I see a comparison of the av_decision.allowed
> with the access_vector_t that was requested. When I look at the
> av_decision.allowed after calling avc_has_perm I always see 0.
>
> Am I doing something wrong? Does the documentation describe the current
> functionality?
>
> Any help would be appreciated.
dbus is an example of using avc_has_perm(). If permission was denied,
avc_has_perm() returns -1 with errno EACCES if in enforcing mode. Are
you in permissive mode, perchance?
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]