From mboxrd@z Thu Jan  1 00:00:00 1970
From: Cai Xianchao <caixianchao@cn.fujitsu.com>
Subject: Re: ausearch / policy question
Date: Fri, 25 Jul 2008 14:27:26 +0800
Message-ID: <4889724E.2080106@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6P6TBNc020224
	for <linux-audit@redhat.com>; Fri, 25 Jul 2008 02:29:11 -0400
Received: from song.cn.fujitsu.com (cn.fujitsu.com [222.73.24.84] (may be
	forged))
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6P6SxwR020880
	for <linux-audit@redhat.com>; Fri, 25 Jul 2008 02:28:59 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: lenny@magitekltd.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 23 July 2008 18:30:45 LC Bruzenak wrote:


> 2: why is ausearch producing the AVCs?
>   


Low level is the minimum access needed to read files created by that
user.If the low level of a process is lower than the file's, it's
not permitted.




> type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc:  denied
> { read } for  pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
> scontext=root:staff_r:staff_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file 
>
>   
 
In the message, the level of audit.log is s15:c0.c1023, while the current
process is s0. So the process can't read audit.log and AVSs are producted.



Regards
Cai Xianchao