auditctl se_sen & se_clr

Michael C Thompson thompsmc at us.ibm.com
Fri May 19 15:30:20 UTC 2006 

Stephen Smalley wrote:
> On Fri, 2006-05-19 at 10:07 -0500, Michael C Thompson wrote:
>> Hey all,
>>
>> I'm trying to figure out how the se_sen and se_clr labels are supposed 
>> to be used with auditctl.
>>
>> Here is the selinux context:
>> subj=root:staff_r:staff_t:s0-s15:c0.c255
>>        ^      ^       ^        ^
>>     se_user   ^    se_type     ^
>>             se_role          se_clr & se_sen
>>
>> What is the difference between se_clr and se_sen? And if you have any 
>> enlightening examples, that would be appreciated.
> 
> IIRC, se_sen is how audit refers to the low level (aka sensitivity,
> current level) and se_clr is how audit refers to the high level (aka
> clearance, max level) of a MLS range in a SELinux context.  In the
> context above, the se_sen would be the "s0" and the se_clr would be the
> "s15:c0.c255".

Thanks, that's what I thought as well. Here is my result of testing this:

root linux user, id:
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
context=root:staff_r:staff_t:SystemLow-SystemHigh

mcthomps linux user, id:
uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps) 
context=user_u:user_r:user_t:SystemLow

When I have the following audit rule is
   auditctl -a entry,always -S chmod -F se_clr=s0
the chmod actions taken by mcthomps get logged, but not those done by 
root (this is as expected).

When the audit rule is
   auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
the chmod actions taken by root get logged, but not by mcthomps (also 
expected).

However, for se_sen, this does not seem to be the case. The rule:
   auditctl -a entry,always -S chmod -F se_se=s0
should cause chmod actions taken by both mcthomps and root to be logged, 
right? However, I'm only seeing the result of actions taken by mcthomps.

I've also tried to see if se_sen was the entire context, but that 
doesn't seem to be the case...

Any ideas? If someone else could take a crack at testing this too, I'd 
like to make sure its not just me :)

Thanks,
Mike

More information about the Linux-audit mailing list