SELinux should have its own errno value

June 9, 2013

Years ago I mentioned in passing that SELinux should have its own errno value. Today I feel like running down both the technical details of how I think it should work and why it makes sense.

First, I don't think this should be specific to just SELinux. The reality is that Unix kernels are increasingly growing security restrictions over and above standard Unix permissions, all of which suffer from the same visibility problems that SELinux has. Rather than give them all different errno values, I think that there should be a single errno value, call it ESECURITY, which means 'this action was denied due to some additional security policy'.

(It would thus trigger for things like Ubuntu's additional security hardening.)

The advantage of such an errno is that it tells everyone where to look, or at least that there is no point in looking at standard Unix permissions. You know right away that something odd is going on and won't wind up spending a bunch of time looking at file permissions, UIDs, and so on and going 'this should work, why on earth is it failing?'. Today the last is quite common with SELinux (and other such things) and is one large reason they are so frustrating for many people.

The Unix tradition (in general) is to add new errno values for new forms of system call failure; this is the tradition that gave us, for example, ESTALE. 'This operation was denied because of an additional security policy' is clearly a new form of system call failure and so it makes complete sense for it to have a new errno value (and more than one if it becomes necessary). Returning EPERM is not good enough because in reality almost everyone today who sees EPERM assumes that the cause is normal Unix permissions (as shown by all the stories of people who did not think to look at SELinux until much, much later).

(Some people will argue that adding a new errno return is not standards compliant. Fortunately for us, Linux has never promised to be fully POSIX compliant; Linus himself has said in the past that Linux sticks to POSIX only when POSIX makes sense. Refusing to add new errno values for new forms of failure is neither sensible nor useful.)

Comments on this page:

From 98.175.106.200 at 2013-06-09 03:45:42:

You know right away that something odd is going on and won't wind up spending a bunch of time looking at file permissions, UIDs, and so on and going 'this should work, why on earth is it failing?'. Today the last is quite common with SELinux (and other such things) and is one large reason they are so frustrating for many people.

This is a temporary hangup for SELinux newbies but once you get used to the idea that SELinux is around and enforcing policy you stop doing this pretty quick. Something funny going on with perms? Check audit log. Done. The ERRNO idea is interesting, however.

By cks at 2013-06-10 12:53:25:

Two things. First, there are a significant number of anecdotal reports that SELinux's invisibility causes problems. Second, I believe that many sysadmins will not become SELinux experts any more than they become experts with any number of other things that they interact with only occasionally (if at all). As a result I believe that it is inevitable that many unfamiliar people will routinely interact with SELinux; these people very much need a clear pointer to SELinux (or any additional security layer).

(In general audit log messages are not a clear pointer any more than kernel error logs are, because they are not where people look first. People look first at what the program's own failure messages tell them.)

Written on 09 June 2013.
« The Flickr redesign and knowing your site's focus
What the SELinux community should be doing »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Jun 9 02:20:45 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.