From mboxrd@z Thu Jan 1 00:00:00 1970 From: Darrel Goeddel Subject: [PATCH] fix se_sen audit filter Date: Wed, 24 May 2006 09:06:46 -0500 Message-ID: <44746876.5000408@trustedcs.com> References: <446DDF21.4080808@us.ibm.com> <1148051869.25168.144.camel@moss-spartans.epoch.ncsc.mil> <446DE48C.3010509@us.ibm.com> <1148056260.3469.222.camel@code.and.org> <446E03EE.5090707@us.ibm.com> <1148066375.3469.232.camel@code.and.org> <446E1CCD.4090805@us.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <446E1CCD.4090805@us.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Michael C Thompson , Stephen Smalley , Alexander Viro Cc: Linux Audit List-Id: linux-audit@redhat.com Michael C Thompson wrote: > James Antill wrote: > >> On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote: >> >>> James Antill wrote: >>> >>>> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote: >>>> >>>>> Thanks, that's what I thought as well. Here is my result of testing >>>>> this: >>>>> >>>>> root linux user, id: >>>>> context=root:staff_r:staff_t:SystemLow-SystemHigh >>>>> >>>>> mcthomps linux user, id: >>>>> context=user_u:user_r:user_t:SystemLow >>>>> >>>>> When I have the following audit rule is >>>>> auditctl -a entry,always -S chmod -F se_clr=s0 >>>>> the chmod actions taken by mcthomps get logged, but not those done >>>>> by root (this is as expected). >>>> >>>> This means that a "range" of s0 is being interpreted as: >>>> >>>> se_sen='' >>>> se_clr='s0' >>>> >>>> ...which isn't what I'd expect, but given that... >>> >>> I'm sorry, I do not follow what you mean here. >> >> >> The mls range for root is s0-s0:c0.c255, where: >> >> se_sen = s0 >> se_clr = s0:c0.c255 > > > Right, this makes sense. > >> The mls range for mcthomps is s0, given the above works then: >> >> se_clr = s0 >> >> ...and given the range is s0 and not s0-s0 then se_sen must be blank >> (and so won't match s0). > > > > AFIAK, you must have both a low and a high, which means for mcthomps, > se_sen=0 and se_clr=s0. > > The testing that I have done with auditctl's se_sen and se_clr filters > has the se_clr working for both the root user and the mcthomps user, but > se_sen only captures audit events for mcthomps when: > auditctl -a entry,always -S chmod -F se_sen=s0 > > I would expect that since se_sen=s0 for both root and mcthomps, that > both of their chmod actions would be logged, but root's actions are not > being captured. > > This leads me to believe either our definition of se_sen is wrong, or if > our definition of se_sen is correct, then the implementation of se_sen > has some bug in it. Bug seems to be the way to go here. Below is a patch that fixes it. Fix a broken comparison that causes the process clearance to be checked for both se_clr and se_sen audit filters. Signed-off-by: Darrel Goeddel -- diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c284dbb..e9548bc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1980,7 +1980,7 @@ int selinux_audit_rule_match(u32 ctxid, break; case AUDIT_SE_SEN: case AUDIT_SE_CLR: - level = (op == AUDIT_SE_SEN ? + level = (field == AUDIT_SE_SEN ? &ctxt->range.level[0] : &ctxt->range.level[1]); switch (op) { case AUDIT_EQUAL: -- Darrel