Re: auditctl se_sen & se_clr
James Antill wrote:
On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote:
> James Antill wrote:
>> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
>>
>>> Thanks, that's what I thought as well. Here is my result of testing
this:
>>>
>>> root linux user, id:
>>> context=root:staff_r:staff_t:SystemLow-SystemHigh
>>>
>>> mcthomps linux user, id:
>>> context=user_u:user_r:user_t:SystemLow
>>>
>>> When I have the following audit rule is
>>> auditctl -a entry,always -S chmod -F se_clr=s0
>>> the chmod actions taken by mcthomps get logged, but not those done by
>>> root (this is as expected).
>> This means that a "range" of s0 is being interpreted as:
>>
>> se_sen=''
>> se_clr='s0'
>>
>> ...which isn't what I'd expect, but given that...
> I'm sorry, I do not follow what you mean here.
The mls range for root is s0-s0:c0.c255, where:
se_sen = s0
se_clr = s0:c0.c255
Right, this makes sense.
The mls range for mcthomps is s0, given the above works then:
se_clr = s0
...and given the range is s0 and not s0-s0 then se_sen must be blank
(and so won't match s0).
AFIAK, you must have both a low and a high, which means for mcthomps,
se_sen=0 and se_clr=s0.
The testing that I have done with auditctl's se_sen and se_clr filters
has the se_clr working for both the root user and the mcthomps user, but
se_sen only captures audit events for mcthomps when:
auditctl -a entry,always -S chmod -F se_sen=s0
I would expect that since se_sen=s0 for both root and mcthomps, that
both of their chmod actions would be logged, but root's actions are not
being captured.
This leads me to believe either our definition of se_sen is wrong, or if
our definition of se_sen is correct, then the implementation of se_sen
has some bug in it.
Thanks,
Mike