On Mon, 2004-10-18 at 08:43, Thomas Bleher wrote:
> cdrecord deadlocks linux 2.6.8.1:
>
> I have just written selinux policy for cdrecord. While writing this
> policy cdrecord constantly locked up the computer (even in permissive
> mode). When booting with selinux=0 the problem went away.
>
> After digging around for a while, the following seems to be happening:
> * cdrecord calls sched_setscheduler()
> * setscheduler (in kernel/sched.c) asks for CAP_SYS_NICE
> * cdrecord doesn't have this capability
> * selinux generates an audit message ==> deadlock
>
> When I grant cdrecord CAP_SYS_NICE everything works fine.
> I think SELinux shouldn't generate a log message in this case; like it
> is already suppressed for setsched.
>
> To test, add the attached policy, remove sys_nice from the allowed caps
> and simply call cdrecord without parameters.

Suppressing auditing entirely is undesirable as it makes policy debugging very difficult. I think we need to either: a) Add a flag to avc_audit(), optionally passed via avc_audit_data, that tells it to use audit_log_end_irq() so that it merely enqueues the audit message for later processing, and change capable and setscheduler hooks to pass this flag, or
b) Move the security checks in setscheduler outside of the runqueue lock, then just recheck that no security-relevant conditions changed after taking the lock.

Thoughts?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.