is it a newbie'sh question?: where is the log for violated access ?

All of lore.kernel.org
 help / color / mirror / Atom feed

* is it a newbie'sh question?: where is the log for violated access ?
@ 2006-05-22 17:10 Tetsuji Maverick Rai
  2006-05-22 17:36 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Tetsuji Maverick Rai @ 2006-05-22 17:10 UTC (permalink / raw)
  To: selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I thought when an access violation occurs, it's logged in
/var/log/audit.log or messages, but it doesn't look so.

For example, If I invoke "su apache -c "cat /etc/passwd" as root which
will cause access error because apache user isn't allowed to use cat,
but I cannot find any violation log in any of the log files above.

Actually it's prohibited by selinux: ie.
as a root "su apache -c 'cat /etc/passwd'" will say nothing, while
"su maverick -c 'cat /etc/passwd'" (maverick is a normal user) displays
contents of /etc/passwd.  I think it's a form of access violation but
this isn't logged anywhere.   Will anyone tell me why or where it's logged?

Thanks in advance.

- -Tetsuji
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEcfB51ZfmZ4IzXNkRAvHFAKDHHpesYfMN3s09kE7fjVmrcDPwtQCeOIH/
lO4DvEl/aJi7jcjqMD4BhRs=
=KWSB
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: is it a newbie'sh question?: where is the log for violated access ?
  2006-05-22 17:10 is it a newbie'sh question?: where is the log for violated access ? Tetsuji Maverick Rai
@ 2006-05-22 17:36 ` Stephen Smalley
  2006-05-22 18:02   ` Tetsuji Maverick Rai
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2006-05-22 17:36 UTC (permalink / raw)
  To: Tetsuji Maverick Rai; +Cc: selinux

On Tue, 2006-05-23 at 02:10 +0900, Tetsuji Maverick Rai wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all,
> 
> I thought when an access violation occurs, it's logged in
> /var/log/audit.log or messages, but it doesn't look so.
> 
> For example, If I invoke "su apache -c "cat /etc/passwd" as root which
> will cause access error because apache user isn't allowed to use cat,
> but I cannot find any violation log in any of the log files above.
> 
> Actually it's prohibited by selinux: ie.
> as a root "su apache -c 'cat /etc/passwd'" will say nothing, while
> "su maverick -c 'cat /etc/passwd'" (maverick is a normal user) displays
> contents of /etc/passwd.  I think it's a form of access violation but
> this isn't logged anywhere.   Will anyone tell me why or where it's logged?
> 
> Thanks in advance.

If running auditd, then it is audit.log.  Otherwise, it is messages.
Cases where there is no audit message include:
a) The syscall failed before reaching the SELinux hook, e.g. a DAC
denial or some other error condition,
b) SELinux denied access but policy has a dontaudit rule to silence the
audit message for that particular (domain, type, class, permission)
tuple to avoid flooding the logs with common patterns of access.

Note that su didn't originally change SELinux security context at all
(only the Linux uid) - we intentionally kept changing Linux uid separate
from changing SELinux security context.  Later, during Fedora SELinux
integration, pam_selinux was inserted into su's pam config in an attempt
to unify them, but that caused more problems than it solved, ultimately
leading to its removal again in the latest Fedora.  So su'ing to
apache's uid has no bearing on the SELinux security context.  Use runcon
-t httpd_t to run a process in apache's domain (although it will likely
fail immediately on the transition or entrypoint checks).

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: is it a newbie'sh question?: where is the log for violated access ?
  2006-05-22 17:36 ` Stephen Smalley
@ 2006-05-22 18:02   ` Tetsuji Maverick Rai
  0 siblings, 0 replies; 3+ messages in thread
From: Tetsuji Maverick Rai @ 2006-05-22 18:02 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Tue, 2006-05-23 at 02:10 +0900, Tetsuji Maverick Rai wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi all,
>>
>> I thought when an access violation occurs, it's logged in
>> /var/log/audit.log or messages, but it doesn't look so.
>>....snip.....
>> Thanks in advance.
> 
> If running auditd, then it is audit.log.  Otherwise, it is messages.
> Cases where there is no audit message include:
> a) The syscall failed before reaching the SELinux hook, e.g. a DAC
> denial or some other error condition,
> b) SELinux denied access but policy has a dontaudit rule to silence the
> audit message for that particular (domain, type, class, permission)
> tuple to avoid flooding the logs with common patterns of access.
> 
> Note that su didn't originally change SELinux security context at all
> (only the Linux uid) - we intentionally kept changing Linux uid separate
> from changing SELinux security context.  Later, during Fedora SELinux
> integration, pam_selinux was inserted into su's pam config in an attempt
> to unify them, but that caused more problems than it solved, ultimately
> leading to its removal again in the latest Fedora.  So su'ing to
> apache's uid has no bearing on the SELinux security context.  Use runcon
> -t httpd_t to run a process in apache's domain (although it will likely
> fail immediately on the transition or entrypoint checks).
> 

Thank you!   In my case, auditd isn't running, and my errors seem to
include case a) or b) and that's the reason I didn't see the error
(warning) messages.

I'm not using fedora (using Gentoo) so it's close to the original, I
think.  Then I will use SELinux in the normal way.

Anyway my configuration seems effective at least for http server and in
the future, more.  Thank you!

regards,

- -Tetsuji
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFEcfzP1ZfmZ4IzXNkRAvfJAJIC9aHfQTuyOdc2QshGTAL26sdzAKCjSd/x
tdaLujua84fRFxqxpD7ktA==
=V5PY
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-05-22 18:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-22 17:10 is it a newbie'sh question?: where is the log for violated access ? Tetsuji Maverick Rai
2006-05-22 17:36 ` Stephen Smalley
2006-05-22 18:02   ` Tetsuji Maverick Rai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.