Re: What is the risk of allowing audit_write?

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/03/2010 05:31 PM, Jason Axelson wrote:
> Hi,
> 
> I have a bash script that I've written that runs in its own domain,
> let's call it my_domain_t. When I run this script, I get a denial
> stating that the script was denied audit_write. But all the script is
> doing when it gets this denial is printing to the screen and asking
> for user input.
> 
> From the SELinux wiki I know that audit_write allows the program to
> "send audit messsages from user space". But does that mean it is able
> to write to /var/log/audit/audit.log? Or more likely send a message to
> the audit daemon which then appends to the audit log?
> 
> So given that I currently don't feel any need to audit the results of
> my script should I use an allow rule or something like dontaudit?
> 
> allow my_domain_t self:capability audit_write
> or
> dontaudit my_domain_t self:capability audit_write
> 
> I'm running this script on CLIP.
> 
> Thanks,
> Jason
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Just add dontaudit rule.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyGUIsACgkQrlYvE4MpobPZxgCfU6HQw4TXYmMrrCoCcvUVNREr
eMgAn3s4ks6EqSW3BDxwQ4J2A43mUmkm
=Wpod
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.