useradd - audit_write ?
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 13 14:24:23 UTC 2006
Stephen Smalley wrote:
> On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:
>
>> Running selinux-policy-2.3.2-1 targeted/permissive.
>>
>> Doing my usual 'yum update' of yesterday's rawhide (including
>> selinux-policy-2.3.2-2), I noticed this in audit log:
>>
>> type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write }
>> for pid=3084 comm="useradd" capability=29
>> scontext=user_u:system_r:useradd_t:s0
>> tcontext=user_u:system_r:useradd_t:s0 tclass=capability
>> type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0
>> auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user
>> acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0
>> res=failed)'
>> type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102
>> success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0
>> ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
>> subj=user_u:system_r:useradd_t:s0 key=(null)
>> type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000
>> type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc
>> a2=74 a3=0 a4=bf95a270 a5=c
>>
>
> Yes, another program instrumented for audit generation, needs that
> capability. Why wasn't this taken care of when these programs were
> originally instrumented for audit? (We are only now getting audit
> denials due to the netlink capability checking patch that went into
> recent kernels, but this would have been getting denied all along, so I
> would have expected it to show up in testing).
>
>
Testing in permissive mode I guess.
More information about the fedora-selinux-list
mailing list