Re: auditctl se_sen & se_clr

On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote: > Thanks, that's what I thought as well. Here is my result of testing this: > > root linux user, id: > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:staff_r:staff_t:SystemLow-SystemHigh > > mcthomps linux user, id: > uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps) > context=user_u:user_r:user_t:SystemLow > > When I have the following audit rule is > auditctl -a entry,always -S chmod -F se_clr=s0 > the chmod actions taken by mcthomps get logged, but not those done by > root (this is as expected). This means that a "range" of s0 is being interpreted as: se_sen='' se_clr='s0' ...which isn't what I'd expect, but given that...

> When the audit rule is > auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255 > the chmod actions taken by root get logged, but not by mcthomps (also > expected). > > However, for se_sen, this does not seem to be the case. The rule: > auditctl -a entry,always -S chmod -F se_se=s0 > should cause chmod actions taken by both mcthomps and root to be logged, > right? However, I'm only seeing the result of actions taken by mcthomps. This follows the same methodology.