[PATCH] fix se_sen audit filter
Darrel Goeddel
dgoeddel at trustedcs.com
Wed May 24 14:06:46 UTC 2006
Michael C Thompson wrote:
> James Antill wrote:
>
>> On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote:
>>
>>> James Antill wrote:
>>>
>>>> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
>>>>
>>>>> Thanks, that's what I thought as well. Here is my result of testing
>>>>> this:
>>>>>
>>>>> root linux user, id:
>>>>> context=root:staff_r:staff_t:SystemLow-SystemHigh
>>>>>
>>>>> mcthomps linux user, id:
>>>>> context=user_u:user_r:user_t:SystemLow
>>>>>
>>>>> When I have the following audit rule is
>>>>> auditctl -a entry,always -S chmod -F se_clr=s0
>>>>> the chmod actions taken by mcthomps get logged, but not those done
>>>>> by root (this is as expected).
>>>>
>>>> This means that a "range" of s0 is being interpreted as:
>>>>
>>>> se_sen=''
>>>> se_clr='s0'
>>>>
>>>> ...which isn't what I'd expect, but given that...
>>>
>>> I'm sorry, I do not follow what you mean here.
>>
>>
>> The mls range for root is s0-s0:c0.c255, where:
>>
>> se_sen = s0
>> se_clr = s0:c0.c255
>
>
> Right, this makes sense.
>
>> The mls range for mcthomps is s0, given the above works then:
>>
>> se_clr = s0
>>
>> ...and given the range is s0 and not s0-s0 then se_sen must be blank
>> (and so won't match s0).
>
>
>
> AFIAK, you must have both a low and a high, which means for mcthomps,
> se_sen=0 and se_clr=s0.
>
> The testing that I have done with auditctl's se_sen and se_clr filters
> has the se_clr working for both the root user and the mcthomps user, but
> se_sen only captures audit events for mcthomps when:
> auditctl -a entry,always -S chmod -F se_sen=s0
>
> I would expect that since se_sen=s0 for both root and mcthomps, that
> both of their chmod actions would be logged, but root's actions are not
> being captured.
>
> This leads me to believe either our definition of se_sen is wrong, or if
> our definition of se_sen is correct, then the implementation of se_sen
> has some bug in it.
Bug seems to be the way to go here. Below is a patch that fixes it.
Fix a broken comparison that causes the process clearance to be checked for
both se_clr and se_sen audit filters.
Signed-off-by: Darrel Goeddel <dgoeddel at trustedcs.com>
--
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index c284dbb..e9548bc 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1980,7 +1980,7 @@ int selinux_audit_rule_match(u32 ctxid,
break;
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- level = (op == AUDIT_SE_SEN ?
+ level = (field == AUDIT_SE_SEN ?
&ctxt->range.level[0] : &ctxt->range.level[1]);
switch (op) {
case AUDIT_EQUAL:
--
Darrel
More information about the Linux-audit
mailing list