* audit in /selinux directory @ 2007-03-09 19:31 Camilo Y. Campo 2007-03-09 20:23 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Camilo Y. Campo @ 2007-03-09 19:31 UTC (permalink / raw) To: linux-audit Hi All, Some files in /selinux have a weird behavior on audit records... When I try read (or write) some files with no read (or write) permission, I can't get the audit record even when I watch the file. Look at this example: [root@alex tmp]# auditctl -w /selinux/disable [root@alex tmp]# cat /selinux/disable cat: /selinux/disable: Invalid argument [root@alex tmp]# ausearch -i -f /selinux/disable ---- type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0 name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 type=CWD msg=audit(03/09/2007 16:23:01.340:29662) : cwd=/tmp type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64 syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160 a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null) The cat command failed and audit is saying "success". A bit strange for me. Could anybody clarify this point for me, please? Best Regards -- Camilo Yamauchi Campo Linux Technology Center Software Engineer camilo@br.ibm.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit in /selinux directory 2007-03-09 19:31 audit in /selinux directory Camilo Y. Campo @ 2007-03-09 20:23 ` Steve Grubb 2007-03-09 21:13 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2007-03-09 20:23 UTC (permalink / raw) To: linux-audit; +Cc: Camilo Y. Campo On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: > The cat command failed and audit is saying "success". A bit strange for > me. Could anybody clarify this point for me, please? It works correctly for me: fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) write(2, "cat: ", 5cat: ) = 5 type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) Try running with strace so you can see the open syscall. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit in /selinux directory 2007-03-09 20:23 ` Steve Grubb @ 2007-03-09 21:13 ` Stephen Smalley 2007-03-09 21:17 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2007-03-09 21:13 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Camilo Y. Campo On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: > > The cat command failed and audit is saying "success". A bit strange for > > me. Could anybody clarify this point for me, please? > > It works correctly for me: > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) You got EACCES rather than EINVAL, so your test didn't reach the same point in the code path. Try it as root (and with appropriate SELinux role/domain if under -strict or -mls). > write(2, "cat: ", 5cat: ) = 5 > > type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 > name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root > rdev=00:00 obj=system_u:object_r:security_t:s0 > type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb > type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open > success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 > items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb > suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 > comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) > > Try running with strace so you can see the open syscall. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit in /selinux directory 2007-03-09 21:13 ` Stephen Smalley @ 2007-03-09 21:17 ` Stephen Smalley 2007-03-09 21:25 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2007-03-09 21:17 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Camilo Y. Campo On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote: > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: > > > The cat command failed and audit is saying "success". A bit strange for > > > me. Could anybody clarify this point for me, please? > > > > It works correctly for me: > > > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) > > You got EACCES rather than EINVAL, so your test didn't reach the same > point in the code path. Try it as root (and with appropriate SELinux > role/domain if under -strict or -mls). I tried it, and the open succeeds, but the read fails with -EINVAL because the underlying pseudo file doesn't implement a read method at all for that node. So the audit is only capturing the open, which was successful. > > > write(2, "cat: ", 5cat: ) = 5 > > > > type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0 > > name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root > > rdev=00:00 obj=system_u:object_r:security_t:s0 > > type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb > > type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open > > success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000 > > items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb > > suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0 > > comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null) > > > > Try running with strace so you can see the open syscall. > > > > -Steve > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit in /selinux directory 2007-03-09 21:17 ` Stephen Smalley @ 2007-03-09 21:25 ` Stephen Smalley 2007-03-14 4:10 ` Camilo Y. Campo 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2007-03-09 21:25 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Camilo Y. Campo On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote: > On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote: > > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: > > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: > > > > The cat command failed and audit is saying "success". A bit strange for > > > > me. Could anybody clarify this point for me, please? > > > > > > It works correctly for me: > > > > > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) > > > > You got EACCES rather than EINVAL, so your test didn't reach the same > > point in the code path. Try it as root (and with appropriate SELinux > > role/domain if under -strict or -mls). > > I tried it, and the open succeeds, but the read fails with -EINVAL > because the underlying pseudo file doesn't implement a read method at > all for that node. So the audit is only capturing the open, which was > successful. And since one has to be root to open it at all, and root has dac_read_search, you can bypass the DAC mode on it at open time. So...not a bug? -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit in /selinux directory 2007-03-09 21:25 ` Stephen Smalley @ 2007-03-14 4:10 ` Camilo Y. Campo 0 siblings, 0 replies; 6+ messages in thread From: Camilo Y. Campo @ 2007-03-14 4:10 UTC (permalink / raw) To: Stephen Smalley; +Cc: linux-audit On Fri, 2007-03-09 at 16:25 -0500, Stephen Smalley wrote: > On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote: > > On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote: > > > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote: > > > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote: > > > > > The cat command failed and audit is saying "success". A bit strange for > > > > > me. Could anybody clarify this point for me, please? > > > > > > > > It works correctly for me: > > > > > > > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > > > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) > > > > > > You got EACCES rather than EINVAL, so your test didn't reach the same > > > point in the code path. Try it as root (and with appropriate SELinux > > > role/domain if under -strict or -mls). > > > > I tried it, and the open succeeds, but the read fails with -EINVAL > > because the underlying pseudo file doesn't implement a read method at > > all for that node. So the audit is only capturing the open, which was > > successful. > > And since one has to be root to open it at all, and root has > dac_read_search, you can bypass the DAC mode on it at open time. > So...not a bug? For me this seems a bug... if I can't audit a denied access in a watched file... Camilo Y. Campo ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-03-14 4:10 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-03-09 19:31 audit in /selinux directory Camilo Y. Campo 2007-03-09 20:23 ` Steve Grubb 2007-03-09 21:13 ` Stephen Smalley 2007-03-09 21:17 ` Stephen Smalley 2007-03-09 21:25 ` Stephen Smalley 2007-03-14 4:10 ` Camilo Y. Campo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox