Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check security_deny_unknown() after calling string_to_security_class()/string_to_av_perm() #43

Open
bigon opened this issue Sep 13, 2019 · 1 comment
Open

Check security_deny_unknown() after calling string_to_security_class()/string_to_av_perm() #43

bigon opened this issue Sep 13, 2019 · 1 comment

Comments

@bigon
Copy link

bigon commented Sep 13, 2019

Hello,

The code is currently either always allowing or denying access in case the SELinux class or access vector is not defined.

IMVHO, this is not OK and you should use security_deny_unknown() after the calls to string_to_security_class() and string_to_av_perm() are failing.

The man page states:

security_deny_unknown() returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, and -1 on error.

So it should be something like

	tclass = string_to_security_class("file");
	if (!tclass) {
		log_it("CRON", getpid(), "ERROR", "Failed to translate security class file", errno);
		if(security_deny_unknown() == 0)
			return 0;
		else
			return -1;
	}
@t8m
Copy link
Member

t8m commented Jan 27, 2020

Hello, I am sorry for not getting to this request earlier. Would you like to write a pull request with such change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bigon @t8m