Re: audit capability checks not audited
On Thu, 2005-05-19 at 11:27 -0400, Steve Grubb wrote:
On Tuesday 17 May 2005 09:12, Steve Grubb wrote:
> Then I'll ask Dan what's wrong. I think that libpam should probably be
> fixed if that is indeed the problem.
OK. I see the problem now.
In /fs/proc/base.c we have this code:
845 static ssize_t proc_loginuid_write(struct file * file, const char __user *
buf,
846 size_t count, loff_t *ppos)
847 {
854 if (!capable(CAP_AUDIT_CONTROL))
855 return -EPERM;
So, this means that the pam module has to have CONTROL capabilites to set the
loginuid. This is clearly not what we want. Should this be changed to WRITE
or should we have another capability? Or, does anyone have another idea?
No, CAP_AUDIT_WRITE would be worse, as any application that can generate
an audit message would then be able to also set its own loginuid.
Finer-grained control can be achieved using the SELinux permission
checks on netlink_audit_socket. CAP_AUDIT_CONTROL then becomes
necessary but not sufficient to modify the audit rules; you also need
SELinux nlmsg_write permission to netlink_audit_socket.
--
Stephen Smalley
National Security Agency