* is it a newbie'sh question?: where is the log for violated access ? @ 2006-05-22 17:10 Tetsuji Maverick Rai 2006-05-22 17:36 ` Stephen Smalley 0 siblings, 1 reply; 3+ messages in thread From: Tetsuji Maverick Rai @ 2006-05-22 17:10 UTC (permalink / raw) To: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I thought when an access violation occurs, it's logged in /var/log/audit.log or messages, but it doesn't look so. For example, If I invoke "su apache -c "cat /etc/passwd" as root which will cause access error because apache user isn't allowed to use cat, but I cannot find any violation log in any of the log files above. Actually it's prohibited by selinux: ie. as a root "su apache -c 'cat /etc/passwd'" will say nothing, while "su maverick -c 'cat /etc/passwd'" (maverick is a normal user) displays contents of /etc/passwd. I think it's a form of access violation but this isn't logged anywhere. Will anyone tell me why or where it's logged? Thanks in advance. - -Tetsuji - -- Tetsuji 'Maverick' Rai Main http://maverick6664.bravehost.com/ Profile: http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123 pubkey http://mav.atspace.com/tmr_at_gmail.txt PGP Key ID: 82335CD9 Key fingerprint = 41CA 94B4 2A89 3FF1 5B11 BC37 D597 E667 8233 5CD9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEcfB51ZfmZ4IzXNkRAvHFAKDHHpesYfMN3s09kE7fjVmrcDPwtQCeOIH/ lO4DvEl/aJi7jcjqMD4BhRs= =KWSB -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: is it a newbie'sh question?: where is the log for violated access ? 2006-05-22 17:10 is it a newbie'sh question?: where is the log for violated access ? Tetsuji Maverick Rai @ 2006-05-22 17:36 ` Stephen Smalley 2006-05-22 18:02 ` Tetsuji Maverick Rai 0 siblings, 1 reply; 3+ messages in thread From: Stephen Smalley @ 2006-05-22 17:36 UTC (permalink / raw) To: Tetsuji Maverick Rai; +Cc: selinux On Tue, 2006-05-23 at 02:10 +0900, Tetsuji Maverick Rai wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > I thought when an access violation occurs, it's logged in > /var/log/audit.log or messages, but it doesn't look so. > > For example, If I invoke "su apache -c "cat /etc/passwd" as root which > will cause access error because apache user isn't allowed to use cat, > but I cannot find any violation log in any of the log files above. > > Actually it's prohibited by selinux: ie. > as a root "su apache -c 'cat /etc/passwd'" will say nothing, while > "su maverick -c 'cat /etc/passwd'" (maverick is a normal user) displays > contents of /etc/passwd. I think it's a form of access violation but > this isn't logged anywhere. Will anyone tell me why or where it's logged? > > Thanks in advance. If running auditd, then it is audit.log. Otherwise, it is messages. Cases where there is no audit message include: a) The syscall failed before reaching the SELinux hook, e.g. a DAC denial or some other error condition, b) SELinux denied access but policy has a dontaudit rule to silence the audit message for that particular (domain, type, class, permission) tuple to avoid flooding the logs with common patterns of access. Note that su didn't originally change SELinux security context at all (only the Linux uid) - we intentionally kept changing Linux uid separate from changing SELinux security context. Later, during Fedora SELinux integration, pam_selinux was inserted into su's pam config in an attempt to unify them, but that caused more problems than it solved, ultimately leading to its removal again in the latest Fedora. So su'ing to apache's uid has no bearing on the SELinux security context. Use runcon -t httpd_t to run a process in apache's domain (although it will likely fail immediately on the transition or entrypoint checks). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: is it a newbie'sh question?: where is the log for violated access ? 2006-05-22 17:36 ` Stephen Smalley @ 2006-05-22 18:02 ` Tetsuji Maverick Rai 0 siblings, 0 replies; 3+ messages in thread From: Tetsuji Maverick Rai @ 2006-05-22 18:02 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Tue, 2006-05-23 at 02:10 +0900, Tetsuji Maverick Rai wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi all, >> >> I thought when an access violation occurs, it's logged in >> /var/log/audit.log or messages, but it doesn't look so. >>....snip..... >> Thanks in advance. > > If running auditd, then it is audit.log. Otherwise, it is messages. > Cases where there is no audit message include: > a) The syscall failed before reaching the SELinux hook, e.g. a DAC > denial or some other error condition, > b) SELinux denied access but policy has a dontaudit rule to silence the > audit message for that particular (domain, type, class, permission) > tuple to avoid flooding the logs with common patterns of access. > > Note that su didn't originally change SELinux security context at all > (only the Linux uid) - we intentionally kept changing Linux uid separate > from changing SELinux security context. Later, during Fedora SELinux > integration, pam_selinux was inserted into su's pam config in an attempt > to unify them, but that caused more problems than it solved, ultimately > leading to its removal again in the latest Fedora. So su'ing to > apache's uid has no bearing on the SELinux security context. Use runcon > -t httpd_t to run a process in apache's domain (although it will likely > fail immediately on the transition or entrypoint checks). > Thank you! In my case, auditd isn't running, and my errors seem to include case a) or b) and that's the reason I didn't see the error (warning) messages. I'm not using fedora (using Gentoo) so it's close to the original, I think. Then I will use SELinux in the normal way. Anyway my configuration seems effective at least for http server and in the future, more. Thank you! regards, - -Tetsuji - -- Tetsuji 'Maverick' Rai Main http://maverick6664.bravehost.com/ Profile: http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123 pubkey http://mav.atspace.com/tmr_at_gmail.txt PGP Key ID: 82335CD9 Key fingerprint = 41CA 94B4 2A89 3FF1 5B11 BC37 D597 E667 8233 5CD9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFEcfzP1ZfmZ4IzXNkRAvfJAJIC9aHfQTuyOdc2QshGTAL26sdzAKCjSd/x tdaLujua84fRFxqxpD7ktA== =V5PY -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-05-22 18:03 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-05-22 17:10 is it a newbie'sh question?: where is the log for violated access ? Tetsuji Maverick Rai 2006-05-22 17:36 ` Stephen Smalley 2006-05-22 18:02 ` Tetsuji Maverick Rai
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.