1:31 p.m.
Hi All,
Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
Look at this example:
[root@alex tmp]# auditctl -w /selinux/disable
[root@alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root@alex tmp]# ausearch -i -f /selinux/disable
----
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) : cwd=/tmp
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023
key=(null)
The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?
Best Regards
--
Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo(a)br.ibm.com
2:23 p.m.
On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
The cat command failed and audit is saying "success". A bit
strange for
me. Could anybody clarify this point for me, please?
It works correctly for me:
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
write(2, "cat: ", 5cat: ) = 5
type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:security_t:s0
type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb
type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open
success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000
items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb
suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0
comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null)
Try running with strace so you can see the open syscall.
-Steve
3:13 p.m.
On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> The cat command failed and audit is saying "success". A bit strange for
> me. Could anybody clarify this point for me, please?
It works correctly for me:
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
You got EACCES rather than EINVAL, so your test didn't reach the same
point in the code path. Try it as root (and with appropriate SELinux
role/domain if under -strict or -mls).
write(2, "cat: ", 5cat: ) = 5
type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:security_t:s0
type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb
type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open
success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000
items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb
suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0
comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null)
Try running with strace so you can see the open syscall.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Stephen Smalley
National Security Agency
3:17 p.m.
On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > The cat command failed and audit is saying "success". A bit strange
for
> > me. Could anybody clarify this point for me, please?
>
> It works correctly for me:
>
> fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission
denied)
You got EACCES rather than EINVAL, so your test didn't reach the same
point in the code path. Try it as root (and with appropriate SELinux
role/domain if under -strict or -mls).
I tried it, and the open succeeds, but the read fails with -EINVAL
because the underlying pseudo file doesn't implement a read method at
all for that node. So the audit is only capturing the open, which was
successful.
> write(2, "cat: ", 5cat: ) = 5
>
> type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0
> name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root
> rdev=00:00 obj=system_u:object_r:security_t:s0
> type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb
> type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open
> success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000
> items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb
> suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0
> comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null)
>
> Try running with strace so you can see the open syscall.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Stephen Smalley
National Security Agency
3:25 p.m.
On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > The cat command failed and audit is saying "success". A bit
strange for
> > > me. Could anybody clarify this point for me, please?
> >
> > It works correctly for me:
> >
> > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES
(Permission denied)
>
> You got EACCES rather than EINVAL, so your test didn't reach the same
> point in the code path. Try it as root (and with appropriate SELinux
> role/domain if under -strict or -mls).
I tried it, and the open succeeds, but the read fails with -EINVAL
because the underlying pseudo file doesn't implement a read method at
all for that node. So the audit is only capturing the open, which was
successful.
And since one has to be root to open it at all, and root has
dac_read_search, you can bypass the DAC mode on it at open time.
So...not a bug?
--
Stephen Smalley
National Security Agency
11:10 p.m.
On Fri, 2007-03-09 at 16:25 -0500, Stephen Smalley wrote:
On Fri, 2007-03-09 at 16:17 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> > On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > > The cat command failed and audit is saying "success". A bit
strange for
> > > > me. Could anybody clarify this point for me, please?
> > >
> > > It works correctly for me:
> > >
> > > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES
(Permission denied)
> >
> > You got EACCES rather than EINVAL, so your test didn't reach the same
> > point in the code path. Try it as root (and with appropriate SELinux
> > role/domain if under -strict or -mls).
>
> I tried it, and the open succeeds, but the read fails with -EINVAL
> because the underlying pseudo file doesn't implement a read method at
> all for that node. So the audit is only capturing the open, which was
> successful.
And since one has to be root to open it at all, and root has
dac_read_search, you can bypass the DAC mode on it at open time.
So...not a bug?
For me this seems a bug... if I can't audit a denied access in a watched
file...
Camilo Y. Campo
6492
days inactive
6497
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
Camilo Y. Campo -
Stephen Smalley -
Steve Grubb