* newrole logging
@ 2002-01-15 18:13 Shaun Savage
2002-01-15 19:05 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Shaun Savage @ 2002-01-15 18:13 UTC (permalink / raw)
To: SELinux
HI
I am adding auditing to the policy. One of the things I want to audit
is when ever any on executes a newrole. I added a line
auditallow {user_t sysadm_t } newrole_exec_t: file execute;
this create two entries in the messages file
a "execute" and "read execute"
The information in the log is not enough. I want "time, who,
old_context, new_context, result"
Should I just add a syslog routine into newrole, or is there a way to
doit via the selinux auditallow?
I would also like to log the exit from newrole.
?? idea ??
A new pam module could be written to log the role changes. maybe using
the session pam.
2> I would also like to log mounts, remounts, and umounts. i added
auditallow {initrc_t sysadm_t user_t} fs_type:filesystem mount;
auditallow {initrc_t sysadm_t user_t} fs_type:filesystem remount;
auditallow {initrc_t sysadm_t user_t} fs_type:filesystem umount;
But it does not like the umount one, any help??
Shaun
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: newrole logging
2002-01-15 18:13 newrole logging Shaun Savage
@ 2002-01-15 19:05 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2002-01-15 19:05 UTC (permalink / raw)
To: Shaun Savage; +Cc: SELinux
On Tue, 15 Jan 2002, Shaun Savage wrote:
> The information in the log is not enough. I want "time, who,
> old_context, new_context, result"
> Should I just add a syslog routine into newrole, or is there a way to
> doit via the selinux auditallow?
It might be sufficient to audit the process transition permission checks.
There are two such checks performed during a newrole - the first is
between the original user domain and the newrole_t domain and the second
is between the newrole_t domain and the new user domain. To audit all
uses of newrole to transition from user_t to sysadm_t, you would do:
auditallow user_t newrole_t:process transition;
auditallow newrole_t sysadm_t:process transition;
> But it does not like the umount one, any help??
The permission is named 'unmount'.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-01-15 19:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-01-15 18:13 newrole logging Shaun Savage
2002-01-15 19:05 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.