shadow: what uid to log?

shadow: what uid to log?

[Christian Göttsche]

Hi,
I am working on migrating src:shadow to today's SELinux api and
enabling audit logging for denials.
The question which uid to log with 'audit_log_user_avc_message' came up.
What is preferred for the applications like passwd, chfn, ... , which
might be setuid binaries (getuid, geteuid, 0)?

Kind regards,
     Christian Göttsche

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: shadow: what uid to log?

[Steve Grubb]

On Thursday, October 17, 2019 5:05:56 PM EDT Christian Göttsche wrote:
> I am working on migrating src:shadow to today's SELinux api and
> enabling audit logging for denials.

>From within the application? It seems that policy could be/is written to 
block execution and prevent any changes. That is, unless you are allowing fine 
grained controls like you can update the password but not the user name or 
anything else in the database.

> The question which uid to log with 'audit_log_user_avc_message' came up.

This is normally thought of in a client/server situation such as dbus (system 
not session). Dbus runs as root and has no associated login uid so in this 
case you would want to know who dbus was making a decision for. It would know 
who the peer is.

In the case where the application is invoked by the user, just use the uid to 
whatever the account is that is being operated on. In the case where no 
account exists because it is being created, then use -1.

> What is preferred for the applications like passwd, chfn, ... , which
> might be setuid binaries (getuid, geteuid, 0)?

Hope this helps...

-Steve