[PATCH] fix se_sen audit filter

Darrel Goeddel dgoeddel at trustedcs.com
Wed May 24 14:06:46 UTC 2006 

Michael C Thompson wrote:
> James Antill wrote:
> 
>> On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote:
>>
>>> James Antill wrote:
>>>
>>>> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
>>>>
>>>>> Thanks, that's what I thought as well. Here is my result of testing 
>>>>> this:
>>>>>
>>>>> root linux user, id:
>>>>> context=root:staff_r:staff_t:SystemLow-SystemHigh
>>>>>
>>>>> mcthomps linux user, id:
>>>>> context=user_u:user_r:user_t:SystemLow
>>>>>
>>>>> When I have the following audit rule is
>>>>>    auditctl -a entry,always -S chmod -F se_clr=s0
>>>>> the chmod actions taken by mcthomps get logged, but not those done 
>>>>> by root (this is as expected).
>>>>
>>>>  This means that a "range" of s0 is being interpreted as:
>>>>
>>>> se_sen=''
>>>> se_clr='s0'
>>>>
>>>> ...which isn't what I'd expect, but given that...
>>>
>>> I'm sorry, I do not follow what you mean here.
>>
>>
>>  The mls range for root is s0-s0:c0.c255, where:
>>
>>  se_sen = s0
>>  se_clr = s0:c0.c255
> 
> 
> Right, this makes sense.
> 
>>  The mls range for mcthomps is s0, given the above works then:
>>
>>  se_clr = s0
>>
>> ...and given the range is s0 and not s0-s0 then se_sen must be blank
>> (and so won't match s0).
> 
> 
> 
> AFIAK, you must have both a low and a high, which means for mcthomps, 
> se_sen=0 and se_clr=s0.
> 
> The testing that I have done with auditctl's se_sen and se_clr filters 
> has the se_clr working for both the root user and the mcthomps user, but 
>  se_sen only captures audit events for mcthomps when:
> auditctl -a entry,always -S chmod -F se_sen=s0
> 
> I would expect that since se_sen=s0 for both root and mcthomps, that 
> both of their chmod actions would be logged, but root's actions are not 
> being captured.
> 
> This leads me to believe either our definition of se_sen is wrong, or if 
> our definition of se_sen is correct, then the implementation of se_sen 
> has some bug in it.

Bug seems to be the way to go here.  Below is a patch that fixes it.




Fix a broken comparison that causes the process clearance to be checked for
both se_clr and se_sen audit filters.

Signed-off-by: Darrel Goeddel <dgoeddel at trustedcs.com>

--

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index c284dbb..e9548bc 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1980,7 +1980,7 @@ int selinux_audit_rule_match(u32 ctxid,
                break;
        case AUDIT_SE_SEN:
        case AUDIT_SE_CLR:
-               level = (op == AUDIT_SE_SEN ?
+               level = (field == AUDIT_SE_SEN ?
                         &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
                case AUDIT_EQUAL:

-- 

Darrel

More information about the Linux-audit mailing list