From: Michael C Thompson <thompsmc@us.ibm.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: auditctl se_sen & se_clr
Date: Fri, 19 May 2006 10:30:20 -0500 [thread overview]
Message-ID: <446DE48C.3010509@us.ibm.com> (raw)
In-Reply-To: <1148051869.25168.144.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Fri, 2006-05-19 at 10:07 -0500, Michael C Thompson wrote:
>> Hey all,
>>
>> I'm trying to figure out how the se_sen and se_clr labels are supposed
>> to be used with auditctl.
>>
>> Here is the selinux context:
>> subj=root:staff_r:staff_t:s0-s15:c0.c255
>> ^ ^ ^ ^
>> se_user ^ se_type ^
>> se_role se_clr & se_sen
>>
>> What is the difference between se_clr and se_sen? And if you have any
>> enlightening examples, that would be appreciated.
>
> IIRC, se_sen is how audit refers to the low level (aka sensitivity,
> current level) and se_clr is how audit refers to the high level (aka
> clearance, max level) of a MLS range in a SELinux context. In the
> context above, the se_sen would be the "s0" and the se_clr would be the
> "s15:c0.c255".
Thanks, that's what I thought as well. Here is my result of testing this:
root linux user, id:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:staff_r:staff_t:SystemLow-SystemHigh
mcthomps linux user, id:
uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
context=user_u:user_r:user_t:SystemLow
When I have the following audit rule is
auditctl -a entry,always -S chmod -F se_clr=s0
the chmod actions taken by mcthomps get logged, but not those done by
root (this is as expected).
When the audit rule is
auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
the chmod actions taken by root get logged, but not by mcthomps (also
expected).
However, for se_sen, this does not seem to be the case. The rule:
auditctl -a entry,always -S chmod -F se_se=s0
should cause chmod actions taken by both mcthomps and root to be logged,
right? However, I'm only seeing the result of actions taken by mcthomps.
I've also tried to see if se_sen was the entire context, but that
doesn't seem to be the case...
Any ideas? If someone else could take a crack at testing this too, I'd
like to make sure its not just me :)
Thanks,
Mike
next prev parent reply other threads:[~2006-05-19 15:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-19 15:07 auditctl se_sen & se_clr Michael C Thompson
2006-05-19 15:17 ` Stephen Smalley
2006-05-19 15:30 ` Michael C Thompson [this message]
2006-05-19 16:31 ` James Antill
2006-05-19 17:44 ` Michael C Thompson
2006-05-19 19:19 ` James Antill
2006-05-19 19:30 ` Michael C Thompson
2006-05-19 19:39 ` Steve Grubb
2006-05-24 14:06 ` [PATCH] fix se_sen audit filter Darrel Goeddel
2006-05-26 15:43 ` auditctl se_sen & se_clr Michael C Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=446DE48C.3010509@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox