audit in /selinux directory

audit in /selinux directory

[Camilo Y. Campo]

Hi All,

Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
 
Look at this example:
[root@alex tmp]# auditctl -w /selinux/disable 
[root@alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root@alex tmp]# ausearch -i -f /selinux/disable
----
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) :  cwd=/tmp 
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023
key=(null) 

The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?

Best Regards

-- 

Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo@br.ibm.com

Re: audit in /selinux directory

[Steve Grubb]

On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> The cat command failed and audit is saying "success". A bit strange for
> me. Could anybody clarify this point for me, please?

It works correctly for me:

fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
write(2, "cat: ", 5cat: )                    = 5

type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root 
rdev=00:00 obj=system_u:object_r:security_t:s0 
type=CWD msg=audit(03/09/2007 15:21:10.652:947) :  cwd=/home/sgrubb 
type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open 
success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 
items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb 
suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 
comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) 

Try running with strace so you can see the open syscall.

-Steve

Re: audit in /selinux directory

[Stephen Smalley]

On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > The cat command failed and audit is saying "success". A bit strange for
> > me. Could anybody clarify this point for me, please?
> 
> It works correctly for me:
> 
> fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)

You got EACCES rather than EINVAL, so your test didn't reach the same
point in the code path.  Try it as root (and with appropriate SELinux
role/domain if under -strict or -mls).

> write(2, "cat: ", 5cat: )                    = 5
> 
> type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 
> name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root 
> rdev=00:00 obj=system_u:object_r:security_t:s0 
> type=CWD msg=audit(03/09/2007 15:21:10.652:947) :  cwd=/home/sgrubb 
> type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open 
> success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 
> items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb 
> suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 
> comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) 
> 
> Try running with strace so you can see the open syscall.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-- 
Stephen Smalley
National Security Agency

Re: audit in /selinux directory

[Stephen Smalley]

On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > The cat command failed and audit is saying "success". A bit strange for
> > > me. Could anybody clarify this point for me, please?
> > 
> > It works correctly for me:
> > 
> > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
> 
> You got EACCES rather than EINVAL, so your test didn't reach the same
> point in the code path.  Try it as root (and with appropriate SELinux
> role/domain if under -strict or -mls).

I tried it, and the open succeeds, but the read fails with -EINVAL
because the underlying pseudo file doesn't implement a read method at
all for that node.  So the audit is only capturing the open, which was
successful.

> 
> > write(2, "cat: ", 5cat: )                    = 5
> > 
> > type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 
> > name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root 
> > rdev=00:00 obj=system_u:object_r:security_t:s0 
> > type=CWD msg=audit(03/09/2007 15:21:10.652:947) :  cwd=/home/sgrubb 
> > type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open 
> > success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 
> > items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb 
> > suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 
> > comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) 
> > 
> > Try running with strace so you can see the open syscall.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
-- 
Stephen Smalley
National Security Agency

Re: audit in /selinux directory

[Stephen Smalley]

On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > > The cat command failed and audit is saying "success". A bit strange for
> > > > me. Could anybody clarify this point for me, please?
> > > 
> > > It works correctly for me:
> > > 
> > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
> > 
> > You got EACCES rather than EINVAL, so your test didn't reach the same
> > point in the code path.  Try it as root (and with appropriate SELinux
> > role/domain if under -strict or -mls).
> 
> I tried it, and the open succeeds, but the read fails with -EINVAL
> because the underlying pseudo file doesn't implement a read method at
> all for that node.  So the audit is only capturing the open, which was
> successful.

And since one has to be root to open it at all, and root has
dac_read_search, you can bypass the DAC mode on it at open time.
So...not a bug?

-- 
Stephen Smalley
National Security Agency

Re: audit in /selinux directory

[Camilo Y. Campo]

On Fri, 2007-03-09 at 16:25 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote:
> > On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> > > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > > > The cat command failed and audit is saying "success". A bit strange for
> > > > > me. Could anybody clarify this point for me, please?
> > > > 
> > > > It works correctly for me:
> > > > 
> > > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
> > > 
> > > You got EACCES rather than EINVAL, so your test didn't reach the same
> > > point in the code path.  Try it as root (and with appropriate SELinux
> > > role/domain if under -strict or -mls).
> > 
> > I tried it, and the open succeeds, but the read fails with -EINVAL
> > because the underlying pseudo file doesn't implement a read method at
> > all for that node.  So the audit is only capturing the open, which was
> > successful.
> 
> And since one has to be root to open it at all, and root has
> dac_read_search, you can bypass the DAC mode on it at open time.
> So...not a bug?

For me this seems a bug... if I can't audit a denied access in a watched
file...

Camilo Y. Campo