From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role
Date: Tue, 01 Mar 2011 15:13:17 -0500 [thread overview]
Message-ID: <4D6D535D.2050708@redhat.com> (raw)
In-Reply-To: <1299009721.14035.11.camel@tesla.lan>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2011 03:02 PM, Guido Trentalancia wrote:
> Hello Christopher !
>
> Finally I am getting back on this...
>
> On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote:
>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>> This patch adds some permissions (through interface calls) needed
>>>> by the sysadm role (in particular logging permissions).
>>>>
>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>> ubac_fd_exempt(sysadm_t)
>>>>
>>>> init_exec(sysadm_t)
>>>> +init_stream_connect(sysadm_t)
>>>
>>> Is this on an upstart system? If so these two rules should probably
>>> turn into init_telinit() and also that interface updated to handle
>>> stream sockets.
>>
>> I confirm it's an upstart system. At the moment I can't check about the
>> interface that you suggest to use. If it is equivalent, then that's
>> fine. Is it a way to compact things ?
>>
>> Do you think we should use the upstart boolean here ?
>>
>>>> +logging_send_audit_msgs(sysadm_t)
>>>
>>> Why is this necessary?
>>
>> I am not sure. If I can get some more insight on this I will let you
>> know later on or tomorrow.
>>
>>>> +logging_set_tty_audit(sysadm_t)
>>>>
>>>> # Add/remove user home directories
>>>> userdom_manage_user_home_dirs(sysadm_t)
>
> I found the following logs about the logging calls:
>
> type=AVC msg=audit(1295734084.283:24): avc: denied { create } for pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.261:20): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.536:21): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295736796.387:81): avc: denied { nlmsg_relay } for pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294619138.946:19637): avc: denied { create } for pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294683721.351:42): avc: denied { write } for pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
>
>>From the sysadm_t context, I bet this is something interactive from the
> console. And I told you already that there are a few problems from the
> console. It needs to be checked carefully as soon as you have finished
> to evaluate and commit the patches that I have already submitted.
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
bash has builtin audit logging.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1tU10ACgkQrlYvE4MpobMVzQCdGJSFxMEHq9vHvROwxS1JBSwP
isMAn24kv49S3agafRGkJCP09Jn4cPi0
=hWTl
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2011-03-01 20:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-16 6:07 [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role Guido Trentalancia
2011-02-23 14:19 ` Christopher J. PeBenito
2011-02-23 19:28 ` Guido Trentalancia
2011-03-01 19:16 ` Christopher J. PeBenito
2011-03-01 20:07 ` Guido Trentalancia
2011-03-04 13:15 ` Christopher J. PeBenito
2011-03-01 20:02 ` Guido Trentalancia
2011-03-01 20:13 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D6D535D.2050708@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.