- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hi,
I'm try to develop an Auditd plugin.
This plugin needs to read information about some processes by reading /proc filesystem.
But the SELinux policy applied to Auditd (and his plugins) prevent the access.
I'm using AlmaLinux release 8.8 (Sapphire Caracal) distribution
Auditd version: audit-3.0.7-4.el8.x86_64
SELinux Auditd plugin context: system_u:system_r:auditd_t:s0
If I run the plugin directly from bash, it can read all the informations it need (but
obviously it cannot receive Auditd logs :-) )
There is a solution?
Thanks in advance.
Hello,
On Thursday, January 18, 2024 7:46:13 AM EST Max Nebiun wrote:
I'm try to develop an Auditd plugin.
This plugin needs to read information about some processes by reading /proc
filesystem. But the SELinux policy applied to Auditd (and his plugins)
prevent the access. I'm using AlmaLinux release 8.8 (Sapphire Caracal)
distribution
Auditd version: audit-3.0.7-4.el8.x86_64
SELinux Auditd plugin context: system_u:system_r:auditd_t:s0
If I run the plugin directly from bash, it can read all the informations it
need (but obviously it cannot receive Auditd logs )
Yes. Bash is in the user session which is likely unconfined_t. What you want
to do is one of 2 things.
1). Create you own selinux policy. Start by making a transition for your
program from auditd_t to your own type. You may need to change the label of
the plugin to an exec_t type which you will then use to create policy placing
it in it's final domain. Then run in permissive mode and restart auditd.
Exercise the plugin so that you get a lot of AVCs. Then use
auseach --start recent --exe=/sbin/plugin -m AVC --raw | audit2allow
To create the rest of the policy. You can probably find examples similar to
this on the internet...or maybe give chatGPT a shot at it.
2) Enable the audisp_af_unix plugin and rework your plugin to read from it.
Your plugin should run as a service which would place it in initrc_t since it
has no policy. Initrc_t is a permissive domain and you shouldn't have
problems - at least from selinux.
There is a solution?
The better solution is #1 above.
-Steve
Thanks for your reply!
This is a working policy for my plugin:
---
module audisp-example 1.0;
require {
type auditd_t;
type proc_t;
class dir search;
class file { getattr read };
}
# Allow auditd_t to search /proc
# Allow auditd_t to read cwd and sessionid files
allow auditd_t proc_t:dir search;
allow auditd_t proc_t:file { getattr read };
---
Thanks for your help
331
days inactive
338
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
tags (0)
participants (2)
-
Max Nebiun -
Steve Grubb