Daniel J Walsh wrote:
Michael C Thompson wrote:
With the following contexts:
bash-3.1# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
bash-3.1# ls -Z /var/log/audit/audit.log
-rw-r----- root root system_u:object_r:auditd_log_t:s15:c0.c1023
/var/log/audit/audit.log
Doing a simple less /var/log/audit/audit.log generates the following
AVC records. The operation succeeds, but this seems like an excessive
amount of records that are being generated. Is there a reason why
auditadm_t is disallowed dac_override?
type=AVC msg=audit(1161117931.187:182): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:182): avc: denied {
dac_read_search } for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33
success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0
ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.187:183): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:183): avc: denied {
dac_read_search } for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5
success=no exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846
pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.187:184): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:184): avc: denied {
dac_read_search } for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5
success=no exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0
ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.195:185): avc: denied { dac_override }
for pid=1999 comm="sh" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.195:185): avc: denied {
dac_read_search } for pid=1999 comm="sh" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195
success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660
a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh"
exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
key=(null)
I can add dac_override and dac_read_search, but I have no idea why they
are needed?
Is there something in the path that root is not allowed to read? Are
you in a directory where root is not allowed to read?
Ah, yes, I see it now. I hate when I overlook the obvious. These are
being generated because I am logging in with a non-root user, su'ing to
root, and then newroling to auditadm_r - the end resulting being root
needing these privilages to read contents of that user's home directory.
If its not an issue, it would be nice to have these DAC overrides
associated with the administrative roles, since they will need to be
acting as DAC root is most every useful scenario.
Thanks,
Mike
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
