* ausearch / policy question
@ 2008-07-23 22:30 LC Bruzenak
2008-07-24 19:12 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: LC Bruzenak @ 2008-07-23 22:30 UTC (permalink / raw)
To: Linux Audit
OK - now that my logs are classified correctly, I ran the following
ausearch command:
ausearch -ts recent -i -m AVC -c ausearch
And get these:
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
[root@hugo audit]# ausearch -ts recent -i -m AVC -c ausearch
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
I've got:
audit-1.7.4-1
selinux-policy-mls-3.3.1-77.fc9.noarch
So my questions are:
1: duplicate records above - expected or correct since there were two
matches - the AVC and also the command?
2: why is ausearch producing the AVCs?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ausearch / policy question
2008-07-23 22:30 ausearch / policy question LC Bruzenak
@ 2008-07-24 19:12 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2008-07-24 19:12 UTC (permalink / raw)
To: linux-audit
On Wednesday 23 July 2008 18:30:45 LC Bruzenak wrote:
> So my questions are:
> 1: duplicate records above - expected or correct since there were two
> matches - the AVC and also the command?
you'd have to look at the logs to figure that out. ausearch doesn't buffer
events past one miscompare.
> 2: why is ausearch producing the AVCs?
Maybe you need to be secadmin or auditadmin?
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ausearch / policy question
@ 2008-07-25 6:27 Cai Xianchao
2008-07-25 17:36 ` LC Bruzenak
0 siblings, 1 reply; 6+ messages in thread
From: Cai Xianchao @ 2008-07-25 6:27 UTC (permalink / raw)
To: lenny, linux-audit
On Wednesday 23 July 2008 18:30:45 LC Bruzenak wrote:
> 2: why is ausearch producing the AVCs?
>
Low level is the minimum access needed to read files created by that
user.If the low level of a process is lower than the file's, it's
not permitted.
> type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
> { read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
> scontext=root:staff_r:staff_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
>
>
In the message, the level of audit.log is s15:c0.c1023, while the current
process is s0. So the process can't read audit.log and AVSs are producted.
Regards
Cai Xianchao
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ausearch / policy question
2008-07-25 6:27 Cai Xianchao
@ 2008-07-25 17:36 ` LC Bruzenak
2008-07-29 9:30 ` Cai Xianchao
0 siblings, 1 reply; 6+ messages in thread
From: LC Bruzenak @ 2008-07-25 17:36 UTC (permalink / raw)
To: Linux Audit
On Fri, 2008-07-25 at 14:27 +0800, Cai Xianchao wrote:
> > type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
> > { read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
> > scontext=root:staff_r:staff_t:s0-s15:c0.c1023
> > tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
> >
> >
>
> In the message, the level of audit.log is s15:c0.c1023, while the current
> process is s0. So the process can't read audit.log and AVSs are producted.
>
>
scontext includes sensitivity levels range s0-s15.
Doesn't that include tcontext sensitivity level s0 (same
classifications)?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ausearch / policy question
2008-07-25 17:36 ` LC Bruzenak
@ 2008-07-29 9:30 ` Cai Xianchao
2008-07-29 14:36 ` LC Bruzenak
0 siblings, 1 reply; 6+ messages in thread
From: Cai Xianchao @ 2008-07-29 9:30 UTC (permalink / raw)
To: LC Bruzenak; +Cc: Linux Audit
LC Bruzenak said the following on 2008-07-26 1:36:
> On Fri, 2008-07-25 at 14:27 +0800, Cai Xianchao wrote:
>
>
>>> type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
>>> { read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
>>> scontext=root:staff_r:staff_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
>>>
>>>
>>>
>>
>> In the message, the level of audit.log is s15:c0.c1023, while the current
>> process is s0. So the process can't read audit.log and AVSs are producted.
>>
>>
>>
> scontext includes sensitivity levels range s0-s15.
>
> Doesn't that include tcontext sensitivity level s0 (same
> classifications)?
>
> Thx,
> LCB.
>
In the message, low level of tcontext is equal to high level,
it is s15, not s0.
--
Regards
Cai Xianchao
A new email address of FJWAN is launched from Apr.1 2007.
The updated address is: caixianchao@cn.fujitsu.com
--------------------------------------------------
Cai Xianchao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China
TEL: +86+25-86630566-837
COINS: 79955-837
FAX: +86+25-83317685
Mail:caixianchao@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ausearch / policy question
2008-07-29 9:30 ` Cai Xianchao
@ 2008-07-29 14:36 ` LC Bruzenak
0 siblings, 0 replies; 6+ messages in thread
From: LC Bruzenak @ 2008-07-29 14:36 UTC (permalink / raw)
To: Cai Xianchao; +Cc: Linux Audit
On Tue, 2008-07-29 at 17:30 +0800, Cai Xianchao wrote:
>
> In the message, low level of tcontext is equal to high level,
> it is s15, not s0.
>
You are correct; thank you.
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-07-29 14:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-23 22:30 ausearch / policy question LC Bruzenak
2008-07-24 19:12 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2008-07-25 6:27 Cai Xianchao
2008-07-25 17:36 ` LC Bruzenak
2008-07-29 9:30 ` Cai Xianchao
2008-07-29 14:36 ` LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox