4:26 p.m.
When in enforcing mode, I am only able to audit files in selinuxfs by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
# auditctl -l
No rules
/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)
/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce
# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open
Since it is possible to audit the files, this might only require a
documentation change. Perhaps adding a comment to the auditctl man page
would be sufficient?
-debbie
4:46 p.m.
Debora Velarde wrote:
When in enforcing mode, I am only able to audit files in selinuxfs by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
# auditctl -l
No rules
/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)
/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce
# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
Since it is possible to audit the files, this might only require a
documentation change. Perhaps adding a comment to the auditctl man page
would be sufficient?
-debbie
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
5:11 p.m.
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
Debora Velarde wrote:
> # auditctl -a exit,always -S open -F inode=4
> # auditctl -l
> LIST_RULES: exit,always inode=4 (0x4) syscall=open
I wonder what this is actually doing. An inode number without
a file system isn't very interesting. Should this rule even
be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
-Klaus
5:18 p.m.
Klaus Weidner wrote:
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
>Debora Velarde wrote:
>
>># auditctl -a exit,always -S open -F inode=4
>># auditctl -l
>>LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
>I wonder what this is actually doing. An inode number without
>a file system isn't very interesting. Should this rule even
>be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
That's exactly what its doing. Debora verified she's getting the audit
record she's looking for and I verified that you'll also get audit records
for any inode 4, at least on my system.
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
I would think so. I'm not exactly sure how you'd specify the file system
you want. Is the major/minor pair?
-- ljk
8:59 p.m.
On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers said:
I would think so. I'm not exactly sure how you'd specify the file system
you want. Is the major/minor pair?
What's the major/minor for /proc?
(or any other pseudo file system that one might want to put a watch on).
(And am I going to get a brick lobbed at me if I say "unionfs"? :)
10:33 a.m.
--- Valdis.Kletnieks(a)vt.edu wrote:
On Wed, 27 Sep 2006 18:18:45 EDT, Linda Knippers
said:
>
> I would think so. I'm not exactly sure how you'd
specify the file system
> you want. Is the major/minor pair?
What's the major/minor for /proc?
You should be able to get that from the
audit record generated by an operation
if you decided to audit /proc/<something>
and then attempt an illegel access.
I wouldn't be too surprised if the value
reported is uninformative. The dev number
is in the audit record for file access,
right?
(or any other pseudo file system that one might want
to put a watch on).
If the "device" is not meaningfull there ought
to be something useful in the superblock.
(And am I going to get a brick lobbed at me if I say
"unionfs"? :)
A half-brick. They have better range.
Casey Schaufler
casey(a)schaufler-ca.com
8:34 a.m.
On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
When in enforcing mode, I am only able to audit files in selinuxfs by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
# auditctl -l
No rules
/* Try adding audit rule with -w path syntax */
# auditctl -w /selinux/enforce
Error sending add rule request (Permission denied)
/* Try adding audit rule with -F inode */
# ls -i /selinux/enforce
4 /selinux/enforce
# auditctl -a exit,always -S open -F inode=4
# auditctl -l
LIST_RULES: exit,always inode=4 (0x4) syscall=open
Since it is possible to audit the files, this might only require a
documentation change. Perhaps adding a comment to the auditctl man page
would be sufficient?
--
Stephen Smalley
National Security Agency
1:39 p.m.
Stephen Smalley <sds(a)tycho.nsa.gov> wrote on 09/28/2006 06:34:43 AM:
On Wed, 2006-09-27 at 14:26 -0700, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
What avc denial do you get? I suspect this just means the policy should
be changed to allow e.g. search on security_t:dir for auditctl.
I don't see any AVC messages when I try to add this rule.
The only new record I see is:
type=CONFIG_CHANGE msg=audit(1159461436.758:1016): auid=500
subj=staff_u:auditadm_r:auditctl_t:s0-s15:c0.c255 add rule key=(null)
list=4 res=0
But no rule was added:
# auditctl -l
No rules
3:33 p.m.
On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
When in enforcing mode, I am only able to audit files in selinuxfs
by
inode, not by path. I am running as auditadm_r.
/* Try adding audit rule with -F path */
# auditctl -a exit,always -S open -F path=/selinux/enforce
Error sending add rule request (Permission denied)
When I do this command, I see AVC's:
time->Thu Sep 28 16:25:12 2006
type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
scontext=root:system_r:auditctl_t:s0-s0:c0.c255
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
allow auditctl_t fs_t:filesystem getattr;
allow auditctl_t security_t:dir search;
-Steve
3:42 p.m.
On Thu, 2006-09-28 at 16:33 -0400, Steve Grubb wrote:
On Wednesday 27 September 2006 17:26, Debora Velarde wrote:
> When in enforcing mode, I am only able to audit files in selinuxfs by
> inode, not by path. I am running as auditadm_r.
>
> /* Try adding audit rule with -F path */
> # auditctl -a exit,always -S open -F path=/selinux/enforce
> Error sending add rule request (Permission denied)
When I do this command, I see AVC's:
time->Thu Sep 28 16:25:12 2006
type=AVC msg=audit(1159475112.366:289): avc: denied { getattr } for
pid=12893 comm="auditctl" name="/" dev=hda7 ino=2
scontext=root:system_r:auditctl_t:s0-s0:c0.c255
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
allow auditctl_t fs_t:filesystem getattr;
allow auditctl_t security_t:dir search;
Yes, seems like that should just be addressed through policy (but likely
in a broader sense, not just these particular types).
--
Stephen Smalley
National Security Agency
6574
days inactive
6575
days old
linux-audit@lists.linux-audit.osci.io
9 comments
7 participants
participants (7)
-
Casey Schaufler -
Debora Velarde -
Klaus Weidner -
Linda Knippers -
Stephen Smalley -
Steve Grubb -
Valdis.Kletnieks@vt.edu