On Tue, 2006-08-08 at 10:57 -0500, Klaus Weidner wrote:
> On Tue, Aug 08, 2006 at 09:19:20AM -0400, Janak Desai wrote:
> > On Mon, 2006-08-07 at 16:14 -0400, Stephen Smalley wrote:
> > > fscreate isn't a real file; it is just a kernel interface for setting an
> > > attribute of the process, like calling umask(2) to set the file mode
> > > creation mask.
> >
> > Good point. Just like we test (and audit) the use of umask system call,
> > we will have to audit the use of setfscreatecon.
>
> Yes, it's security relevant with an audit requirement. LSPP pg. 22 in the
> audit table, 5.4.2 FMT_MSA.3 "all modifications of the initial value of
> security attributes".
>
> > Klaus, would it be sufficient, for meeting LSPP requirement, to
> > audit write(2) of the fscreate file?
>
> I guess you could argue that it meets the requirement, but it's extremely
> ugly since it'll be hard to audit selectively. I don't think there's a
> sane way to set filesystem watches on all /proc/$PID/attr/fscreate files
> to get those specifically, and you don't want to be auditing all open(2)
> calls.
>
> It would be much cleaner to have audit records specifically for the
> attr/* operations. I think they'll be fairly uncommon in general use, so
> I think it would be ok to always audit them without having specific
> auditctl filters.
Not sure if it would satisfy the need, but you could put auditallow
statements in the policy to trigger SELinux audit messages (and thus
also syscall audit messages at syscall exit) for these kinds of
operations, e.g.
# Audit setting of fscreate attribute.
auditallow domain self:process setfscreate;
or
# Audit writing to all /proc/pid files.
auditallow domain self:file write;
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
