* watching files in selinuxfs
@ 2006-09-27 21:26 Debora Velarde
2006-09-27 21:46 ` Linda Knippers
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Debora Velarde @ 2006-09-27 21:26 UTC (permalink / raw)
To: linux-audit
When in enforcing mode, I am only able to audit files in selinuxfs by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
# auditctl -l
No rules
/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)
/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce
# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open
Since it is possible to audit the files, this might only require a
documentation change. Perhaps adding a comment to the auditctl man page
would be sufficient?
-debbie
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: watching files in selinuxfs
2006-09-27 21:26 watching files in selinuxfs Debora Velarde
@ 2006-09-27 21:46 ` Linda Knippers
2006-09-27 22:11 ` Klaus Weidner
2006-09-28 13:34 ` Stephen Smalley
2006-09-28 20:33 ` Steve Grubb
2 siblings, 1 reply; 10+ messages in thread
From: Linda Knippers @ 2006-09-27 21:46 UTC (permalink / raw)
To: Debora Velarde; +Cc: linux-audit
Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
>
> # auditctl -l
> No rules
>
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
>
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
>
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
>
> Since it is possible to audit the files, this might only require a
> documentation change. Perhaps adding a comment to the auditctl man page
> would be sufficient?
>
> -debbie
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-27 21:46 ` Linda Knippers
@ 2006-09-27 22:11 ` Klaus Weidner
2006-09-27 22:18 ` Linda Knippers
0 siblings, 1 reply; 10+ messages in thread
From: Klaus Weidner @ 2006-09-27 22:11 UTC (permalink / raw)
To: Linda Knippers; +Cc: linux-audit
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
> Debora Velarde wrote:
> > # auditctl -a exit,always -S open -F inode=4
> > # auditctl -l
> > LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
> I wonder what this is actually doing. An inode number without
> a file system isn't very interesting. Should this rule even
> be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
-Klaus
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-27 22:11 ` Klaus Weidner
@ 2006-09-27 22:18 ` Linda Knippers
2006-09-28 1:59 ` Valdis.Kletnieks
0 siblings, 1 reply; 10+ messages in thread
From: Linda Knippers @ 2006-09-27 22:18 UTC (permalink / raw)
To: Klaus Weidner; +Cc: linux-audit
Klaus Weidner wrote:
> On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
>
>>Debora Velarde wrote:
>>
>>># auditctl -a exit,always -S open -F inode=4
>>># auditctl -l
>>>LIST_RULES: exit,always inode=4 (0x4) syscall=open
>>
>>I wonder what this is actually doing. An inode number without
>>a file system isn't very interesting. Should this rule even
>>be accepted?
>
>
> Well, probably this is telling the audit system to audit access to all
> inodes with the number 4 on any filesystem, and if that's not what you
> want you need to be more specific...
That's exactly what its doing. Debora verified she's getting the audit
record she's looking for and I verified that you'll also get audit records
for any inode 4, at least on my system.
>
> Given the Unix philosophy of allowing admins to shoot themselves in the
> foot, would a warning be appropriate?
I would think so. I'm not exactly sure how you'd specify the file system
you want. Is the major/minor pair?
-- ljk
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-27 22:18 ` Linda Knippers
@ 2006-09-28 1:59 ` Valdis.Kletnieks
2006-09-28 15:33 ` Casey Schaufler
0 siblings, 1 reply; 10+ messages in thread
From: Valdis.Kletnieks @ 2006-09-28 1:59 UTC (permalink / raw)
To: Linda Knippers; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 347 bytes --]
On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers said:
>
> I would think so. I'm not exactly sure how you'd specify the file system
> you want. Is the major/minor pair?
What's the major/minor for /proc?
(or any other pseudo file system that one might want to put a watch on).
(And am I going to get a brick lobbed at me if I say "unionfs"? :)
[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-28 1:59 ` Valdis.Kletnieks
@ 2006-09-28 15:33 ` Casey Schaufler
0 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2006-09-28 15:33 UTC (permalink / raw)
To: Valdis.Kletnieks, Linda Knippers; +Cc: linux-audit
--- Valdis.Kletnieks@vt.edu wrote:
> On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers
> said:
> >
> > I would think so. I'm not exactly sure how you'd
> specify the file system
> > you want. Is the major/minor pair?
>
> What's the major/minor for /proc?
You should be able to get that from the
audit record generated by an operation
if you decided to audit /proc/<something>
and then attempt an illegel access.
I wouldn't be too surprised if the value
reported is uninformative. The dev number
is in the audit record for file access,
right?
> (or any other pseudo file system that one might want
> to put a watch on).
If the "device" is not meaningfull there ought
to be something useful in the superblock.
> (And am I going to get a brick lobbed at me if I say
> "unionfs"? :)
A half-brick. They have better range.
Casey Schaufler
casey@schaufler-ca.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-27 21:26 watching files in selinuxfs Debora Velarde
2006-09-27 21:46 ` Linda Knippers
@ 2006-09-28 13:34 ` Stephen Smalley
2006-09-28 18:39 ` Debora Velarde
2006-09-28 20:33 ` Steve Grubb
2 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2006-09-28 13:34 UTC (permalink / raw)
To: Debora Velarde; +Cc: linux-audit
On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
>
> # auditctl -l
> No rules
>
> /* Try adding audit rule with -w path syntax */
> # auditctl -w /selinux/enforce
> Error sending add rule request (Permission denied)
>
> /* Try adding audit rule with -F inode */
> # ls -i /selinux/enforce
> 4 /selinux/enforce
>
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
>
> Since it is possible to audit the files, this might only require a
> documentation change. Perhaps adding a comment to the auditctl man page
> would be sufficient?
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-28 13:34 ` Stephen Smalley
@ 2006-09-28 18:39 ` Debora Velarde
0 siblings, 0 replies; 10+ messages in thread
From: Debora Velarde @ 2006-09-28 18:39 UTC (permalink / raw)
To: Stephen Smalley; +Cc: linux-audit
Stephen Smalley <sds@tycho.nsa.gov> wrote on 09/28/2006 06:34:43 AM:
> On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by
> > inode, not by path. I am running as auditadm_r.
> >
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
>
> What avc denial do you get? I suspect this just means the policy should
> be changed to allow e.g. search on security_t:dir for auditctl.
I don't see any AVC messages when I try to add this rule.
The only new record I see is:
type=CONFIG_CHANGE msg=audit(1159461436.758:1016): auid=500
subj=staff_u:auditadm_r:auditctl_t:s0-s15:c0.c255 add rule key=(null)
list=4 res=0
But no rule was added:
# auditctl -l
No rules
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: watching files in selinuxfs
2006-09-27 21:26 watching files in selinuxfs Debora Velarde
2006-09-27 21:46 ` Linda Knippers
2006-09-28 13:34 ` Stephen Smalley
@ 2006-09-28 20:33 ` Steve Grubb
2006-09-28 20:42 ` Stephen Smalley
2 siblings, 1 reply; 10+ messages in thread
From: Steve Grubb @ 2006-09-28 20:33 UTC (permalink / raw)
To: linux-audit
On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
When I do this command, I see AVC's:
time->Thu Sep 28 16:25:12 2006
type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
scontext=root:system_r:auditctl_t:s0-s0:c0.c255
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
allow auditctl_t fs_t:filesystem getattr;
allow auditctl_t security_t:dir search;
-Steve
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: watching files in selinuxfs
2006-09-28 20:33 ` Steve Grubb
@ 2006-09-28 20:42 ` Stephen Smalley
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2006-09-28 20:42 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Thu, 2006-09-28 at 16:33 -0400, Steve Grubb wrote:
> On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> > When in enforcing mode, I am only able to audit files in selinuxfs by
> > inode, not by path. I am running as auditadm_r.
> >
> > /* Try adding audit rule with -F path */
> > # auditctl -a exit,always -S open -F path=/selinux/enforce
> > Error sending add rule request (Permission denied)
>
> When I do this command, I see AVC's:
>
> time->Thu Sep 28 16:25:12 2006
> type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
> pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
> scontext=root:system_r:auditctl_t:s0-s0:c0.c255
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> allow auditctl_t fs_t:filesystem getattr;
> allow auditctl_t security_t:dir search;
Yes, seems like that should just be addressed through policy (but likely
in a broader sense, not just these particular types).
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2006-09-28 20:42 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-27 21:26 watching files in selinuxfs Debora Velarde
2006-09-27 21:46 ` Linda Knippers
2006-09-27 22:11 ` Klaus Weidner
2006-09-27 22:18 ` Linda Knippers
2006-09-28 1:59 ` Valdis.Kletnieks
2006-09-28 15:33 ` Casey Schaufler
2006-09-28 13:34 ` Stephen Smalley
2006-09-28 18:39 ` Debora Velarde
2006-09-28 20:33 ` Steve Grubb
2006-09-28 20:42 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox