auditctl se_sen & se_clr
Michael C Thompson
thompsmc at us.ibm.com
Fri May 19 17:44:14 UTC 2006
James Antill wrote:
> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
>
>> Thanks, that's what I thought as well. Here is my result of testing this:
>>
>> root linux user, id:
>> uid=0(root) gid=0(root)
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>> context=root:staff_r:staff_t:SystemLow-SystemHigh
>>
>> mcthomps linux user, id:
>> uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
>> context=user_u:user_r:user_t:SystemLow
>>
>> When I have the following audit rule is
>> auditctl -a entry,always -S chmod -F se_clr=s0
>> the chmod actions taken by mcthomps get logged, but not those done by
>> root (this is as expected).
>
>
> This means that a "range" of s0 is being interpreted as:
>
> se_sen=''
> se_clr='s0'
>
> ...which isn't what I'd expect, but given that...
I'm sorry, I do not follow what you mean here.
>> When the audit rule is
>> auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
>> the chmod actions taken by root get logged, but not by mcthomps (also
>> expected).
>>
>> However, for se_sen, this does not seem to be the case. The rule:
>> auditctl -a entry,always -S chmod -F se_se=s0
>> should cause chmod actions taken by both mcthomps and root to be logged,
>> right? However, I'm only seeing the result of actions taken by mcthomps.
>
> This follows the same methodology.
again, I'm confused as to what you mean.
Thanks,
Mike
More information about the Linux-audit
mailing list