8:37 a.m.
On Friday, April 20, 2018 9:20:29 AM EDT Jiri Jaburek wrote:
(Please CC me on replies.)
Hello,
I'm trying to run the audit-test suite on Fedora 28 and am running into
it expecting a name= field in the SYSCALL entry.
augrok --seek=697600 -m1 type==SYSCALL syscall=openat success=no
pid=3951 auid=1000 uid=0 euid=0 suid=0 fsuid=0 gid=0
egid=0 sgid=0 fsgid=0 exit=-13
subj=staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
name=tmp.owfFtgPOjx/new
Fedora 28:
----
time->Fri Apr 20 15:04:59 2018
type=PROCTITLE msg=audit(1524229499.918:366591):
proctitle=2F62696E2F62617368002E2F72756E2E62617368002D647600323734
type=PATH msg=audit(1524229499.918:366591): item=0
name="tmp.J4IQL7Buxe/" inode=1055495 dev=fd:02 mode=040700 ouid=0 ogid=0
rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 nametype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1524229499.918:366591):
cwd="/usr/local/eal4_testing/audit-test/syscalls"
type=SYSCALL msg=audit(1524229499.918:366591): arch=c000003e syscall=257
success=no exit=-13 a0=3 a1=7ffc02f0eaf6 a2=c0 a3=16b6010 items=1
ppid=5275 pid=5276 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="do_openat"
exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1524229499.918:366591): avc: denied { create } for
pid=5276 comm="do_openat" name="new"
scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
----
RHEL-7.5:
----
time->Fri Apr 20 15:06:59 2018
type=PROCTITLE msg=audit(1524229619.726:56605):
proctitle=72756E636F6E0073746166665F753A6C7370705F746573745F723A6C7370705F7
46573745F67656E657269635F743A53797374656D4869676800646F5F6F70656E6174002F74
6D7000746D702E30674C74574A336977622F6E6577006372656174650073746166665F753A6
F626A6563745F723A757365725F746D705F743A53 type=PATH
msg=audit(1524229619.726:56605): item=1
name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1524229619.726:56605): item=0 name="tmp.0gLtWJ3iwb/"
inode=1055489 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 objtype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1524229619.726:56605):
cwd="/usr/local/eal4_testing/audit-test/syscalls"
type=SYSCALL msg=audit(1524229619.726:56605): arch=c000003e syscall=257
success=no exit=-13 a0=3 a1=7ffc1ecd6b57 a2=c0 a3=0 items=2 ppid=20750
pid=20751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1595 comm="do_openat"
exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
----
The key difference here is probably the absence of
type=PATH msg=audit(1524229619.726:56605): item=1
name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
on Fedora 28, which augrok looks for.
Is this expected?
I'm seeing something similar with other syscalls like
creat("/tmp/tmp.9EsMgMuio7/new", 0700)
producing
----
type=PROCTITLE msg=audit(04/20/2018 15:15:35.547:371576) :
proctitle=runcon staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
do_creat /tmp/tmp.9EsMgMuio7/new staff_u:object_r:user_tmp_t:SystemLow
type=PATH msg=audit(04/20/2018 15:15:35.547:371576) : item=0
name=/tmp/tmp.9EsMgMuio7/ inode=1572964 dev=fd:02 mode=dir,700 ouid=root
ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/20/2018 15:15:35.547:371576) :
cwd=/usr/local/eal4_testing/audit-test/syscalls
type=SYSCALL msg=audit(04/20/2018 15:15:35.547:371576) : arch=x86_64
syscall=creat success=no exit=EACCES(Permission denied)
a0=0x7ffc41d04af9 a1=0700 a2=0x0 a3=0x0 items=1 ppid=6779 pid=6780
auid=eal uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=2 comm=do_creat
exe=/usr/local/eal4_testing/audit-test/utils/bin/do_creat
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(04/20/2018 15:15:35.547:371576) : avc: denied {
create } for pid=6780 comm=do_creat name=new
scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
This record says you were denied create. That means it can report the parent
object and its properties. But it cannot report on the object being created
because it has no properties except an intended name. But it has no device,
inode, owner, label, etc. If the system were in permissive mode, you will
probably get the actual object and its properties.
-Steve
----
but the lack of "/new" in PATH here seems more like a bug.
Thanks,
Jiri
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit