From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: ausearch / policy question
Date: Fri, 25 Jul 2008 12:36:19 -0500
Message-ID: <1217007379.7093.218.camel@homeserver>
References: <4889724E.2080106@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6PHakgG009267
	for <linux-audit@redhat.com>; Fri, 25 Jul 2008 13:36:46 -0400
Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6PHaYSv032357
	for <linux-audit@redhat.com>; Fri, 25 Jul 2008 13:36:34 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by magi with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63) (envelope-from <lenny@magitekltd.com>)
	id 1KMRDK-0007sk-OF
	for linux-audit@redhat.com; Fri, 25 Jul 2008 12:36:22 -0500
In-Reply-To: <4889724E.2080106@cn.fujitsu.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Fri, 2008-07-25 at 14:27 +0800, Cai Xianchao wrote:

> > type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc:  denied
> > { read } for  pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
> > scontext=root:staff_r:staff_t:s0-s15:c0.c1023
> > tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file 
> >
> >   
>  
> In the message, the level of audit.log is s15:c0.c1023, while the current
> process is s0. So the process can't read audit.log and AVSs are producted.
> 
> 
scontext includes sensitivity levels range s0-s15.

Doesn't that include tcontext sensitivity level s0 (same
classifications)?

Thx,
LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com