On Fri, Apr 28, 2006 at 05:45:05PM -0400, Daniel J Walsh wrote: > Michael C Thompson wrote: > >I just checked, and with policy selinux-policy-mls-2.2.35-2, sysadm_r > >and secadm_r can modify /etc/auditd.conf, /etc/audit.rules, > >/etc/init.d/auditd can read and write these files. > > > secadm should not be able to edit auditd.conf or audit.rules. That is a > bug. I do not know about sysadm
We can't expect a totally robust split between sysadm and audadm, and LSPP/RBAC still assume a trustworthy admin. I think the most important part is that sysadm should be prevented from using auditctl to modify rules, and from stopping/restarting auditd, which would ensure that the sysadm can't change the audit config without restarting the entire system. Making /etc/audit.rules unwritable would be reasonable, but I think it would be ok to keep /etc/init.d/auditd and the auditd binary and libraries writable for sysadm. A malicious sysadm can fairly easily subvert audit (for example via custom rpm packages, kernel changes, library changes, debugfs, ...), and we need to draw the line somewhere. I think we need to accept that the system may be in an undefined state after a reboot if sysadm is malicious. Can the RPM pre/postinstall scripts currently do absolutely anything? That would be an unpleasant loophole, but I don't know an easy way to fix that without potentially breaking RPM. -Klaus -- redhat-lspp mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-lspp
