Re: auditctl se_sen & se_clr
Stephen Smalley wrote:
On Fri, 2006-05-19 at 10:07 -0500, Michael C Thompson wrote:
> Hey all,
>
> I'm trying to figure out how the se_sen and se_clr labels are supposed
> to be used with auditctl.
>
> Here is the selinux context:
> subj=root:staff_r:staff_t:s0-s15:c0.c255
> ^ ^ ^ ^
> se_user ^ se_type ^
> se_role se_clr & se_sen
>
> What is the difference between se_clr and se_sen? And if you have any
> enlightening examples, that would be appreciated.
IIRC, se_sen is how audit refers to the low level (aka sensitivity,
current level) and se_clr is how audit refers to the high level (aka
clearance, max level) of a MLS range in a SELinux context. In the
context above, the se_sen would be the "s0" and the se_clr would be the
"s15:c0.c255".
Thanks, that's what I thought as well. Here is my result of testing this:
root linux user, id:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:staff_r:staff_t:SystemLow-SystemHigh
mcthomps linux user, id:
uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
context=user_u:user_r:user_t:SystemLow
When I have the following audit rule is
auditctl -a entry,always -S chmod -F se_clr=s0
the chmod actions taken by mcthomps get logged, but not those done by
root (this is as expected).
When the audit rule is
auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
the chmod actions taken by root get logged, but not by mcthomps (also
expected).
However, for se_sen, this does not seem to be the case. The rule:
auditctl -a entry,always -S chmod -F se_se=s0
should cause chmod actions taken by both mcthomps and root to be logged,
right? However, I'm only seeing the result of actions taken by mcthomps.
I've also tried to see if se_sen was the entire context, but that
doesn't seem to be the case...
Any ideas? If someone else could take a crack at testing this too, I'd
like to make sure its not just me :)
Thanks,
Mike