In trying to come up with the correct access check for lpq I looked at
security_compute_av() and avc_has_perm_noaudit() According to the man
page for security_compute_av the cron source is an example, so I also
took a look at that.
Using this sample program I always get 0 as the return value, which
should indicate success, but I get it even when I supply values which
should fail. The only time avc_has_perm_noaudit() returns -1 is when
the policy does not allow access to the selinux_netlink_socket tclass.
Looking at the cron source I see a comparison of the av_decision.allowed
with the access_vector_t that was requested. When I look at the
av_decision.allowed after calling avc_has_perm I always see 0.
Am I doing something wrong? Does the documentation describe the current
functionality?
Any help would be appreciated.
-matt
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/avc.h>
#include <selinux/av_permissions.h>
#include <selinux/context.h>
//#define SCON "user_u:object_r:user_home_dir_t:s0"
//#define TCON "user_u:object_r:user_home_dir_t:s1"
#define SCON "user_u:object_r:user_home_dir_t"
#define TCON "user_u:object_r:user_home_dir_t"
//#define TCON "root:object_r:user_home_dir_t"
extern errno;
int main(int argc, char *argv[]) {
int retval;
security_id_t ssid;
security_id_t tsid;
struct av_decision avd;
struct avc_entry_ref avcref;
security_class_t tclass = SECCLASS_FILE;
access_vector_t avr = FILE__READ;
avc_init("test_foo_", NULL, NULL, NULL, NULL);
avc_entry_ref_init(&avcref);
avc_context_to_sid(SCON, &ssid);
avc_context_to_sid(TCON, &tsid);
retval = avc_has_perm_noaudit(ssid, tsid, tclass, avr, &avcref, &avd);
if (retval == 0 && ((avd.allowed & avr) == avr))
printf("granted\n");
else
printf("denied\n");
avc_cleanup();
return retval;
}
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
