From: LC Bruzenak <lenny@magitekltd.com>
To: linux-audit@redhat.com
Subject: Re: need rules help
Date: Thu, 06 Aug 2009 16:17:36 -0500 [thread overview]
Message-ID: <1249593456.3048.70.camel@homeserver> (raw)
In-Reply-To: <1249571430.12117.1002.camel@homeserver>
On Thu, 2009-08-06 at 10:10 -0500, LC Bruzenak wrote:
> On Wed, 2009-08-05 at 21:45 -0500, LC Bruzenak wrote:
OK, I'm back with new evidence of a problem after what I think is
correct setup. I put only the subj_type as a comparator even though I
want a more restrictive set. the rule was set with the "-A" flag.
* My rules start with (use "auditctl -l"):
LIST_RULES: entry,always arch=3221225534 (0xc000003e)
syscall=mknod,mknodat
LIST_RULES: entry,always arch=3221225534 (0xc000003e)
syscall=mount,umount2
LIST_RULES: exit,never subj_type=jcdx_mtdb_t syscall=all
...
* I note the date:
Thu Aug 6 20:36:31 UTC 2009
* I search again later (using ausearch) and find:
node=jcdx type=PATH msg=audit(08/06/2009 20:42:20.726:21672) : item=0
name=/var/opt/jcdx/tracks/mltrackdb/PlatformTracks.inst/040fd238ede9dfbbc19e012c7633836f/PlatformTracks
node=jcdx type=CWD msg=audit(08/06/2009 20:42:20.726:21672) : cwd=/
node=jcdx type=SYSCALL msg=audit(08/06/2009 20:42:20.726:21672) :
arch=i386 syscall=stat64 success=no exit=-2(No such file or directory)
a0=9a4ea40 a1=ffc93644 a2=d2aff4 a3=ffc9377c items=1 ppid=1 pid=23599
auid=root uid=root gid=jcdx euid=root suid=root fsuid=root egid=jcdx
sgid=jcdx fsgid=jcdx tty=(none) ses=8 comm=mtdb exe=/opt/jcdx/sbin/mtdb
subj=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511 key=(null)
node=jcdx type=AVC msg=audit(08/06/2009 20:42:20.726:21672) : avc:
denied { search } for pid=23599 comm=mtdb
name=040fd238ede9dfbbc19e012c7633836f dev=dm-0 ino=269567
scontext=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511
tcontext=system_u:object_r:jcdx_stdb_var_t:s15:c0.c1023 tclass=dir
So it appears that the "never" rule is not firing...right?
I'm not sure if the rule applies to only the info in the "type=syscall"
line. Really I want to compare against the specific scontext/tcontext
pair in the "type=AVC" line.
Thanks in advance,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
next prev parent reply other threads:[~2009-08-06 21:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-06 2:45 need rules help LC Bruzenak
2009-08-06 15:10 ` need rules help - solved LC Bruzenak
2009-08-06 21:17 ` LC Bruzenak [this message]
2009-08-08 2:23 ` need rules help LC Bruzenak
2009-08-08 15:34 ` Steve Grubb
2009-08-08 17:59 ` LC Bruzenak
2009-08-09 13:37 ` Steve Grubb
2009-08-09 15:10 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1249593456.3048.70.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.