* What is the risk of allowing audit_write?
@ 2010-09-03 21:31 Jason Axelson
2010-09-07 14:47 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Jason Axelson @ 2010-09-03 21:31 UTC (permalink / raw)
To: selinux
Hi,
I have a bash script that I've written that runs in its own domain,
let's call it my_domain_t. When I run this script, I get a denial
stating that the script was denied audit_write. But all the script is
doing when it gets this denial is printing to the screen and asking
for user input.
>From the SELinux wiki I know that audit_write allows the program to
"send audit messsages from user space". But does that mean it is able
to write to /var/log/audit/audit.log? Or more likely send a message to
the audit daemon which then appends to the audit log?
So given that I currently don't feel any need to audit the results of
my script should I use an allow rule or something like dontaudit?
allow my_domain_t self:capability audit_write
or
dontaudit my_domain_t self:capability audit_write
I'm running this script on CLIP.
Thanks,
Jason
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: What is the risk of allowing audit_write?
2010-09-03 21:31 What is the risk of allowing audit_write? Jason Axelson
@ 2010-09-07 14:47 ` Daniel J Walsh
2010-09-07 18:25 ` Jason Axelson
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2010-09-07 14:47 UTC (permalink / raw)
To: Jason Axelson; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/03/2010 05:31 PM, Jason Axelson wrote:
> Hi,
>
> I have a bash script that I've written that runs in its own domain,
> let's call it my_domain_t. When I run this script, I get a denial
> stating that the script was denied audit_write. But all the script is
> doing when it gets this denial is printing to the screen and asking
> for user input.
>
> From the SELinux wiki I know that audit_write allows the program to
> "send audit messsages from user space". But does that mean it is able
> to write to /var/log/audit/audit.log? Or more likely send a message to
> the audit daemon which then appends to the audit log?
>
> So given that I currently don't feel any need to audit the results of
> my script should I use an allow rule or something like dontaudit?
>
> allow my_domain_t self:capability audit_write
> or
> dontaudit my_domain_t self:capability audit_write
>
> I'm running this script on CLIP.
>
> Thanks,
> Jason
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Just add dontaudit rule.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyGUIsACgkQrlYvE4MpobPZxgCfU6HQw4TXYmMrrCoCcvUVNREr
eMgAn3s4ks6EqSW3BDxwQ4J2A43mUmkm
=Wpod
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: What is the risk of allowing audit_write?
2010-09-07 14:47 ` Daniel J Walsh
@ 2010-09-07 18:25 ` Jason Axelson
0 siblings, 0 replies; 3+ messages in thread
From: Jason Axelson @ 2010-09-07 18:25 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: selinux
Hi Daniel,
Thanks for the information. I'll add a dontaudit rule.
Thanks,
Jason
On Tue, Sep 7, 2010 at 4:47 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/03/2010 05:31 PM, Jason Axelson wrote:
>> Hi,
>>
>> I have a bash script that I've written that runs in its own domain,
>> let's call it my_domain_t. When I run this script, I get a denial
>> stating that the script was denied audit_write. But all the script is
>> doing when it gets this denial is printing to the screen and asking
>> for user input.
>>
>> From the SELinux wiki I know that audit_write allows the program to
>> "send audit messsages from user space". But does that mean it is able
>> to write to /var/log/audit/audit.log? Or more likely send a message to
>> the audit daemon which then appends to the audit log?
>>
>> So given that I currently don't feel any need to audit the results of
>> my script should I use an allow rule or something like dontaudit?
>>
>> allow my_domain_t self:capability audit_write
>> or
>> dontaudit my_domain_t self:capability audit_write
>>
>> I'm running this script on CLIP.
>>
>> Thanks,
>> Jason
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> Just add dontaudit rule.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyGUIsACgkQrlYvE4MpobPZxgCfU6HQw4TXYmMrrCoCcvUVNREr
> eMgAn3s4ks6EqSW3BDxwQ4J2A43mUmkm
> =Wpod
> -----END PGP SIGNATURE-----
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-07 18:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03 21:31 What is the risk of allowing audit_write? Jason Axelson
2010-09-07 14:47 ` Daniel J Walsh
2010-09-07 18:25 ` Jason Axelson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.