On Tue, 2006-08-08 at 13:31 -0400, [EMAIL PROTECTED] wrote:
> On Tue, 2006-08-08 at 12:21 -0500, Klaus Weidner wrote:
> > On Tue, Aug 08, 2006 at 12:52:37PM -0400, Stephen Smalley wrote:
> > > # Audit setting of fscreate attribute.
> > > auditallow domain self:process setfscreate;
> > > or
> > > # Audit writing to all /proc/pid files.
> > > auditallow domain self:file write;
> > This sounds like a good solution, I didn't know that this works. Can
> > someone verify that the audit record contains the LSPP required data
> such
> > as the subject label?
> Thanks Klaus. Thiago and I will verify this.
We did one test with the auditallow rule for write and another with the
auditallow rule for setfscreate. The records found in the audit log for
both tests are attached. The difference is that the auditallow rule for
the write operation adds PATH and AVC_PATH audit records, while the
setfscreate rule just generates AVC and SYSCALl records.
Both mention the pid and security context of the subject changing the
fscreate file both in the AVC message and in the SYSCALL message, but
none of them displays the new contents of the fscreate file.
Klaus: do you think the info there is sufficient for LSPP?
--
Thiago Jung Bauermann
Software Engineer
IBM Linux Technology Center
type=AVC msg=audit(1155061888.325:12389): avc: granted { write } for pid=28304 comm="bash" name="fscreate" dev=proc ino=1854930971 scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=file
type=AVC msg=audit(1155061888.325:12389): avc: granted { write } for pid=28304 comm="bash" name="fscreate" dev=proc ino=1854930971 scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=file
type=SYSCALL msg=audit(1155061888.325:12389): arch=14 syscall=5 success=yes exit=3 a0=10106e98 a1=10241 a2=1b6 a3=1011e560 items=1 ppid=28303 pid=28304 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0 key=(null)
type=CWD msg=audit(1155061888.325:12389): cwd="/root"
type=PATH msg=audit(1155061888.325:12389): item=0 name="/proc/28304/attr/fscreate" inode=1854930967 dev=00:03 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=root:sysadm_r:sysadm_t:s0
type=AVC msg=audit(1155061888.325:12390): avc: granted { write } for pid=28304 comm="bash" name="fscreate" dev=proc ino=1854930971 scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=file
type=SYSCALL msg=audit(1155061888.325:12390): arch=14 syscall=4 success=yes exit=26 a0=1 a1=f7df5000 a2=1a a3=fffffffffefefeff items=0 ppid=28303 pid=28304 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0 key=(null)
type=AVC_PATH msg=audit(1155061888.325:12390): path="/proc/28304/attr/fscreate"
type=AVC msg=audit(1155063698.005:12483): avc: granted { setfscreate } for pid=28304 comm="bash" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:sysadm_t:s0 tclass=process
type=SYSCALL msg=audit(1155063698.005:12483): arch=14 syscall=4 success=yes exit=26 a0=1 a1=f7df5000 a2=1a a3=fffffffffefefeff items=0 ppid=28303 pid=28304 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0 key=(null)
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
