useradd - audit_write ?
Stephen Smalley
sds at tycho.nsa.gov
Thu Jul 13 14:22:06 UTC 2006
On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:
> Running selinux-policy-2.3.2-1 targeted/permissive.
>
> Doing my usual 'yum update' of yesterday's rawhide (including
> selinux-policy-2.3.2-2), I noticed this in audit log:
>
> type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write }
> for pid=3084 comm="useradd" capability=29
> scontext=user_u:system_r:useradd_t:s0
> tcontext=user_u:system_r:useradd_t:s0 tclass=capability
> type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0
> auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user
> acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0
> res=failed)'
> type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102
> success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0
> ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
> subj=user_u:system_r:useradd_t:s0 key=(null)
> type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc
> a2=74 a3=0 a4=bf95a270 a5=c
Yes, another program instrumented for audit generation, needs that
capability. Why wasn't this taken care of when these programs were
originally instrumented for audit? (We are only now getting audit
denials due to the netlink capability checking patch that went into
recent kernels, but this would have been getting denied all along, so I
would have expected it to show up in testing).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list