auditctl se_sen & se_clr
James Antill
jantill at redhat.com
Fri May 19 16:31:00 UTC 2006
On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
> Thanks, that's what I thought as well. Here is my result of testing this:
>
> root linux user, id:
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=root:staff_r:staff_t:SystemLow-SystemHigh
>
> mcthomps linux user, id:
> uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
> context=user_u:user_r:user_t:SystemLow
>
> When I have the following audit rule is
> auditctl -a entry,always -S chmod -F se_clr=s0
> the chmod actions taken by mcthomps get logged, but not those done by
> root (this is as expected).
This means that a "range" of s0 is being interpreted as:
se_sen=''
se_clr='s0'
...which isn't what I'd expect, but given that...
> When the audit rule is
> auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
> the chmod actions taken by root get logged, but not by mcthomps (also
> expected).
>
> However, for se_sen, this does not seem to be the case. The rule:
> auditctl -a entry,always -S chmod -F se_se=s0
> should cause chmod actions taken by both mcthomps and root to be logged,
> right? However, I'm only seeing the result of actions taken by mcthomps.
This follows the same methodology.
--
James Antill
<james.antill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060519/95f3cdf2/attachment.sig>
More information about the Linux-audit
mailing list