From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Antill Subject: Re: auditctl se_sen & se_clr Date: Fri, 19 May 2006 12:31:00 -0400 Message-ID: <1148056260.3469.222.camel@code.and.org> References: <446DDF21.4080808@us.ibm.com> <1148051869.25168.144.camel@moss-spartans.epoch.ncsc.mil> <446DE48C.3010509@us.ibm.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0121733174==" Return-path: Received: from mail.and.org (vpn83-129.boston.redhat.com [172.16.83.129]) by pobox.corp.redhat.com (8.12.8/8.12.8) with ESMTP id k4JGV1QQ020398 for ; Fri, 19 May 2006 12:31:01 -0400 Received: from localhost ([127.0.0.1] helo=localhost.localdomain) by mail.and.org with esmtp (Exim 4.62) (envelope-from ) id 1Fh7sT-0003WZ-3q for linux-audit@redhat.com; Fri, 19 May 2006 12:31:01 -0400 In-Reply-To: <446DE48C.3010509@us.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com --===============0121733174== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-1lEPa6fLJ8xRbkGxyBIk" --=-1lEPa6fLJ8xRbkGxyBIk Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote: > Thanks, that's what I thought as well. Here is my result of testing this: >=20 > root linux user, id: > uid=3D0(root) gid=3D0(root)=20 > groups=3D0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)=20 > context=3Droot:staff_r:staff_t:SystemLow-SystemHigh >=20 > mcthomps linux user, id: > uid=3D500(mcthomps) gid=3D500(mcthomps) groups=3D500(mcthomps)=20 > context=3Duser_u:user_r:user_t:SystemLow >=20 > When I have the following audit rule is > auditctl -a entry,always -S chmod -F se_clr=3Ds0 > the chmod actions taken by mcthomps get logged, but not those done by=20 > root (this is as expected). This means that a "range" of s0 is being interpreted as: se_sen=3D'' se_clr=3D's0' ...which isn't what I'd expect, but given that... > When the audit rule is > auditctl -a entry,always -S chmod -F se_clr=3Ds15:c0.c255 > the chmod actions taken by root get logged, but not by mcthomps (also=20 > expected). >=20 > However, for se_sen, this does not seem to be the case. The rule: > auditctl -a entry,always -S chmod -F se_se=3Ds0 > should cause chmod actions taken by both mcthomps and root to be logged,=20 > right? However, I'm only seeing the result of actions taken by mcthomps. This follows the same methodology. --=20 James Antill --=-1lEPa6fLJ8xRbkGxyBIk Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQBEbfLE11eXTEMrxtQRAuI+AJ0XuYHYS6ZfWXt/grBmoTBvMXWYPQCgnvIz MYwJJaXKsIHi9/lqt+znwzw= =sOjC -----END PGP SIGNATURE----- --=-1lEPa6fLJ8xRbkGxyBIk-- --===============0121733174== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0121733174==--