audit capability checks not audited
Stephen Smalley
sds at tycho.nsa.gov
Tue May 17 12:27:28 UTC 2005
Hi,
We're starting to see bug reports of SELinux denials with no audit
messages in FC4/devel due to the fact that the audit capabilities are
checked on the receive side via a direct cap_raised() test on the
effective capability set saved earlier by the netlink_send hook. This
manifests as programs failing in enforcing mode and working in
permissive mode, but no audit messages being generated. I know there
was an earlier rfc/patch by Chris to allow moving the netlink message
checking to the send side via a new callback, which would allow us to
perform a traditional capable() call rather than a direct cap_raised()
test and thus have the usual auditing behavior for SELinux there. Is
that stalled?
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list