Linda Knippers wrote:
Loulwa Salem wrote:
I was running some test cases and ran into a scenario where secadm_r was
permitted to write to /var/log/audit/audit.log
I was not expecting secadm to be able to perform that operation. However
secadm_r was denied appends to the log. and I get AVC messages for
append perms in the log (See output below)
I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse
It doesn't really make sense to me that secadm can completely overwrite
the audit log but can't append to it. I didn't think secadm should even
have write permission to audit log in the first place
Any thoughts on this .. ?
I think one way or another, you've uncovered a bug and should file a
bugzilla. Either the append should work or the truncate/write
shouldn't. I can envision cases where one might want to allow
someone to append but not truncate but you're seeing the opposite.
I don't recall whether this is supposed to work for secadm_r or
not but I'm thinking that it should. I assume both operations work
with sysadm_r?
I am getting permission denied in either case.
-- ljk
Thanks
- Loulwa
Here are the steps I did...
[root/secadm_r/[EMAIL PROTECTED] bin]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh
[root/secadm_r/[EMAIL PROTECTED] bin]# ls -Z /var/log/audit/audit.log
-rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh
/var/log/audit/audit.log
[root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo" >
/var/log/audit/audit.log
[root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
boo
[root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo2" >>
/var/log/audit/audit.log
-bash: /var/log/audit/audit.log: Permission denied
[root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
boo
type=AVC msg=audit(1176408498.736:844): avc: denied { append } for
pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no
exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850
pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1176408498.737:845): avc: denied { append } for
pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no
exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850
pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
