From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: auditctl se_sen & se_clr Date: Fri, 19 May 2006 10:30:20 -0500 Message-ID: <446DE48C.3010509@us.ibm.com> References: <446DDF21.4080808@us.ibm.com> <1148051869.25168.144.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k4JFUk1u030812 for ; Fri, 19 May 2006 11:30:46 -0400 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k4JFUjrg023263 for ; Fri, 19 May 2006 11:30:45 -0400 Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e31.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k4JFUPXn017296 for ; Fri, 19 May 2006 11:30:25 -0400 Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) by westrelay02.boulder.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id k4JFUPYH226474 for ; Fri, 19 May 2006 09:30:25 -0600 Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) by d03av04.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id k4JFUPei023903 for ; Fri, 19 May 2006 09:30:25 -0600 In-Reply-To: <1148051869.25168.144.camel@moss-spartans.epoch.ncsc.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Stephen Smalley Cc: Linux Audit List-Id: linux-audit@redhat.com Stephen Smalley wrote: > On Fri, 2006-05-19 at 10:07 -0500, Michael C Thompson wrote: >> Hey all, >> >> I'm trying to figure out how the se_sen and se_clr labels are supposed >> to be used with auditctl. >> >> Here is the selinux context: >> subj=root:staff_r:staff_t:s0-s15:c0.c255 >> ^ ^ ^ ^ >> se_user ^ se_type ^ >> se_role se_clr & se_sen >> >> What is the difference between se_clr and se_sen? And if you have any >> enlightening examples, that would be appreciated. > > IIRC, se_sen is how audit refers to the low level (aka sensitivity, > current level) and se_clr is how audit refers to the high level (aka > clearance, max level) of a MLS range in a SELinux context. In the > context above, the se_sen would be the "s0" and the se_clr would be the > "s15:c0.c255". Thanks, that's what I thought as well. Here is my result of testing this: root linux user, id: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t:SystemLow-SystemHigh mcthomps linux user, id: uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps) context=user_u:user_r:user_t:SystemLow When I have the following audit rule is auditctl -a entry,always -S chmod -F se_clr=s0 the chmod actions taken by mcthomps get logged, but not those done by root (this is as expected). When the audit rule is auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255 the chmod actions taken by root get logged, but not by mcthomps (also expected). However, for se_sen, this does not seem to be the case. The rule: auditctl -a entry,always -S chmod -F se_se=s0 should cause chmod actions taken by both mcthomps and root to be logged, right? However, I'm only seeing the result of actions taken by mcthomps. I've also tried to see if se_sen was the entire context, but that doesn't seem to be the case... Any ideas? If someone else could take a crack at testing this too, I'd like to make sure its not just me :) Thanks, Mike