[redhat-lspp] secadm can overwrite audit log but not append to it

Daniel J Walsh dwalsh at redhat.com
Fri Apr 13 18:59:23 UTC 2007 

Linda Knippers wrote:
> Loulwa Salem wrote:
>   
>> I was running some test cases and ran into a scenario where secadm_r was
>> permitted to write to /var/log/audit/audit.log
>> I was not expecting secadm to be able to perform that operation. However
>> secadm_r was denied appends to the log. and I get AVC messages for
>> append perms in the log (See output below)
>>
>> I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse
>>
>> It doesn't really make sense to me that secadm can completely overwrite
>> the audit log but can't append to it. I didn't think secadm should even
>> have write permission to audit log in the first place
>>
>> Any thoughts on this .. ?
>>     
>
> I think one way or another, you've uncovered a bug and should file a
> bugzilla.  Either the append should work or the truncate/write
> shouldn't.  I can envision cases where one might want to allow
> someone to append but not truncate but you're seeing the opposite.
>
> I don't recall whether this is supposed to work for secadm_r or
> not but I'm thinking that it should.  I assume both operations work
> with sysadm_r?
>   
I am getting permission denied in either case.
> -- ljk
>
>   
>> Thanks
>> - Loulwa
>>
>>
>>
>>
>> Here are the steps I did...
>>
>> [root/secadm_r/SystemLow at joy-hv4 bin]# id
>> uid=0(root) gid=0(root)
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>> context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh
>>
>> [root/secadm_r/SystemLow at joy-hv4 bin]# ls -Z /var/log/audit/audit.log
>> -rw-r-----  root root system_u:object_r:auditd_log_t:SystemHigh
>> /var/log/audit/audit.log
>>
>> [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo" >
>> /var/log/audit/audit.log
>> [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log
>> boo
>>
>> [root/secadm_r/SystemLow at joy-hv4 bin]# echo "boo2" >>
>> /var/log/audit/audit.log
>> -bash: /var/log/audit/audit.log: Permission denied
>> [root/secadm_r/SystemLow at joy-hv4 bin]# cat /var/log/audit/audit.log
>> boo
>> type=AVC msg=audit(1176408498.736:844): avc:  denied  { append } for 
>> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
>> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
>> type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no
>> exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850
>> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
>> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
>> type=AVC msg=audit(1176408498.737:845): avc:  denied  { append } for 
>> pid=3853 comm="bash" name="audit.log" dev=dm-2 ino=294916
>> scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
>> type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no
>> exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850
>> pid=3853 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts2 comm="bash" exe="/bin/bash"
>> subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023 key=(null)
>>
>> -- 
>> redhat-lspp mailing list
>> redhat-lspp at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-lspp
>>     
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>

More information about the redhat-lspp mailing list