watching files in selinuxfs

watching files in selinuxfs

[Debora Velarde]

When in enforcing mode, I am only able to audit files in selinuxfs by 
inode, not by path.    I am running as auditadm_r.

/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)

# auditctl -l
No rules

/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)

/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce

# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open


Since it is possible to audit the files, this might only require a 
documentation change.  Perhaps adding a comment to the auditctl man page 
would be sufficient?

-debbie

Re: watching files in selinuxfs

[Linda Knippers]

Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by 
> inode, not by path.    I am running as auditadm_r.
> 
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
> 
> # auditctl -l
> No rules
> 
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
> 
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
> 
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open

I wonder what this is actually doing.  An inode number without
a file system isn't very interesting.  Should this rule even
be accepted?

> 
> Since it is possible to audit the files, this might only require a 
> documentation change.  Perhaps adding a comment to the auditctl man page 
> would be sufficient?
> 
> -debbie
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: watching files in selinuxfs

[Klaus Weidner]

On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
> Debora Velarde wrote:
> > # auditctl -a exit,always -S open -F inode=4
> > # auditctl -l
> > LIST_RULES: exit,always inode=4 (0x4) syscall=open
> 
> I wonder what this is actually doing.  An inode number without
> a file system isn't very interesting.  Should this rule even
> be accepted?

Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...

Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?

-Klaus

Re: watching files in selinuxfs

[Linda Knippers]

Klaus Weidner wrote:
> On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
> 
>>Debora Velarde wrote:
>>
>>># auditctl -a exit,always -S open -F inode=4
>>># auditctl -l
>>>LIST_RULES: exit,always inode=4 (0x4) syscall=open
>>
>>I wonder what this is actually doing.  An inode number without
>>a file system isn't very interesting.  Should this rule even
>>be accepted?
> 
> 
> Well, probably this is telling the audit system to audit access to all
> inodes with the number 4 on any filesystem, and if that's not what you
> want you need to be more specific...

That's exactly what its doing.  Debora verified she's getting the audit
record she's looking for and I verified that you'll also get audit records
for any inode 4, at least on my system.
> 
> Given the Unix philosophy of allowing admins to shoot themselves in the
> foot, would a warning be appropriate?

I would think so.  I'm not exactly sure how you'd specify the file system
you want. Is the major/minor pair?

-- ljk

Re: watching files in selinuxfs

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 347 bytes --]

On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers said:
>
> I would think so.  I'm not exactly sure how you'd specify the file system
> you want. Is the major/minor pair?

What's the major/minor for /proc?

(or any other pseudo file system that one might want to put a watch on).

(And am I going to get a brick lobbed at me if I say "unionfs"? :)

[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: watching files in selinuxfs

[Stephen Smalley]

On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by 
> inode, not by path.    I am running as auditadm_r.
> 
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)

What avc denial do you get?  I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
> 
> # auditctl -l
> No rules
> 
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
> 
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
> 
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
> 
> 
> Since it is possible to audit the files, this might only require a 
> documentation change.  Perhaps adding a comment to the auditctl man page 
> would be sufficient?

-- 
Stephen Smalley
National Security Agency

Re: watching files in selinuxfs

[Casey Schaufler]

--- Valdis.Kletnieks@vt.edu wrote:

> On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers
> said:
> >
> > I would think so.  I'm not exactly sure how you'd
> specify the file system
> > you want. Is the major/minor pair?
> 
> What's the major/minor for /proc?

You should be able to get that from the 
audit record generated by an operation
if you decided to audit /proc/<something>
and then attempt an illegel access.
I wouldn't be too surprised if the value
reported is uninformative. The dev number
is in the audit record for file access,
right?

> (or any other pseudo file system that one might want
> to put a watch on).

If the "device" is not meaningfull there ought
to be something useful in the superblock.

> (And am I going to get a brick lobbed at me if I say
> "unionfs"? :)

A half-brick. They have better range.


Casey Schaufler
casey@schaufler-ca.com

Re: watching files in selinuxfs

[Debora Velarde]

Stephen Smalley <sds@tycho.nsa.gov> wrote on 09/28/2006 06:34:43 AM:

> On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by 
> > inode, not by path.    I am running as auditadm_r.
> > 
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
> 
> What avc denial do you get?  I suspect this just means the policy should
> be changed to allow e.g. search on security_t:dir for auditctl.

I don't see any AVC messages when I try to add this rule.

The only new record I see is:
type=CONFIG_CHANGE msg=audit(1159461436.758:1016): auid=500 
subj=staff_u:auditadm_r:auditctl_t:s0-s15:c0.c255 add rule key=(null) 
list=4 res=0

But no rule was added:
# auditctl -l
No rules

Re: watching files in selinuxfs

[Steve Grubb]

On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path.    I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)

When I do this command, I see AVC's:

time->Thu Sep 28 16:25:12 2006
type=AVC msg=audit(1159475112.366:289): avc:  denied  { getattr } for  
pid=12893 comm="auditctl" name="/" dev=hda7 ino=2 
scontext=root:system_r:auditctl_t:s0-s0:c0.c255 
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

allow auditctl_t fs_t:filesystem getattr;
allow auditctl_t security_t:dir search;


-Steve

Re: watching files in selinuxfs

[Stephen Smalley]

On Thu, 2006-09-28 at 16:33 -0400, Steve Grubb wrote:
> On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by
> > inode, not by path.    I am running as auditadm_r.
> >
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
> 
> When I do this command, I see AVC's:
> 
> time->Thu Sep 28 16:25:12 2006
> type=AVC msg=audit(1159475112.366:289): avc:  denied  { getattr } for  
> pid=12893 comm="auditctl" name="/" dev=hda7 ino=2 
> scontext=root:system_r:auditctl_t:s0-s0:c0.c255 
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> allow auditctl_t fs_t:filesystem getattr;
> allow auditctl_t security_t:dir search;

Yes, seems like that should just be addressed through policy (but likely
in a broader sense, not just these particular types).

-- 
Stephen Smalley
National Security Agency