Loulwa Salem wrote:
> I was running some test cases and ran into a scenario where secadm_r was
> permitted to write to /var/log/audit/audit.log
> I was not expecting secadm to be able to perform that operation. However
> secadm_r was denied appends to the log. and I get AVC messages for
> append perms in the log (See output below)
>
> I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse
>
> It doesn't really make sense to me that secadm can completely overwrite
> the audit log but can't append to it. I didn't think secadm should even
> have write permission to audit log in the first place
>
> Any thoughts on this .. ?
I think one way or another, you've uncovered a bug and should file a
bugzilla. Either the append should work or the truncate/write
shouldn't. I can envision cases where one might want to allow
someone to append but not truncate but you're seeing the opposite.
I don't recall whether this is supposed to work for secadm_r or
not but I'm thinking that it should. I assume both operations work
with sysadm_r?
-- ljk
>
> Thanks
> - Loulwa
>
>
>
>
> Here are the steps I did...
>
> [root/secadm_r/[EMAIL PROTECTED] bin]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh
>
> [root/secadm_r/[EMAIL PROTECTED] bin]# ls -Z /var/log/audit/audit.log
> -rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh
> /var/log/audit/audit.log
>
> [root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo" >
> /var/log/audit/audit.log
> [root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
> boo
>
> [root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo2" >>
> /var/log/audit/audit.log
> -bash: /var/log/audit/audit.log: Permission denied
> [root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
> boo
> type=AVC msg=audit(1176408498.736:844): avc: denied { append } for
> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no
> exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850
> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(1176408498.737:845): avc: denied { append } for
> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no
> exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850
> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
>
> --
> redhat-lspp mailing list
> [EMAIL PROTECTED]
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
