Re: New audit-perms patch [ Re: Audit perms check on recv ]
--- Darrel Goeddel <dgoeddel(a)trustedcs.com> wrote:
Serge E. Hallyn wrote:
> The attached patch addresses Stephen's comments
about re-using
> dummy_capget code and properly checking
capabilities in
> selinux_netlink_send.
>
> To review, it
>
> 1. adds two new capabilities, CAP_AUDIT_READ
and CAP_AUDIT_WRITE
> ...
It would seem that separate
CAP_AUDIT_ADMIN/CAP_AUDIT_WRITE capabilities are
much more important than having a separate
CAP_ADMIN_READ capability.
The POSIX Draft uses CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL, with the later required for
reading records. Irix does the same. A
capability for reading audit records seperate
from that required to disable their generation,
the logic went, is hardly necessary.
The
CAP_AUDIT_WRITE capability should only allow a
process to generate a userspace
audit message.
This is consistant with POSIX.
I think capability checks should map like this:
AUDIT_GET -> none (possibly CAP_AUDIT_ADMIN)
AUDIT_SET -> CAP_AUDIT_ADMIN
AUDIT_LIST -> none (possibly CAP_AUDIT_ADMIN)
AUDIT_ADD -> CAP_AUDIT_ADMIN
AUDIT_DEL -> CAP_AUDIT_ADMIN
AUDIT_USER -> CAP_AUDIT_WRITE
AUDIT_LOGIN -> CAP_AUDIT_ADMIN
The case of AUDIT_LOGIN has merit for a separate
CAP_AUDIT_LOGIN capability
because this carries much more importance than
AUDIT_USER, but we really should
not have the ability to mess with the rest of the
configuration. However, this
action is as important to the reliability of the
audit logs as the configuration
of the audit subsystem. I would prioritize this
capability above CAP_AUDIT_READ
as well.
The granularity of capabilities should be carefully
policed. Data General had over 330 in DGUX. If it
is at all possible to get by with two, that would be
best.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo