From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: shadow: what uid to log? Date: Wed, 23 Oct 2019 12:20:13 -0400 Message-ID: <3027837.ooMb3ITpCv@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Christian =?ISO-8859-1?Q?G=F6ttsche?= List-Id: linux-audit@redhat.com On Thursday, October 17, 2019 5:05:56 PM EDT Christian G=F6ttsche wrote: > I am working on migrating src:shadow to today's SELinux api and > enabling audit logging for denials. >>From within the application? It seems that policy could be/is written to= =20 block execution and prevent any changes. That is, unless you are allowing f= ine=20 grained controls like you can update the password but not the user name or= =20 anything else in the database. > The question which uid to log with 'audit_log_user_avc_message' came up. This is normally thought of in a client/server situation such as dbus (syst= em=20 not session). Dbus runs as root and has no associated login uid so in this= =20 case you would want to know who dbus was making a decision for. It would kn= ow=20 who the peer is. In the case where the application is invoked by the user, just use the uid = to=20 whatever the account is that is being operated on. In the case where no=20 account exists because it is being created, then use -1. > What is preferred for the applications like passwd, chfn, ... , which > might be setuid binaries (getuid, geteuid, 0)? Hope this helps... -Steve