audit in /selinux directory
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 9 21:17:29 UTC 2007
On Fri, 2007-03-09 at 16:13 -0500, Stephen Smalley wrote:
> On Fri, 2007-03-09 at 15:23 -0500, Steve Grubb wrote:
> > On Friday 09 March 2007 14:31, Camilo Y. Campo wrote:
> > > The cat command failed and audit is saying "success". A bit strange for
> > > me. Could anybody clarify this point for me, please?
> >
> > It works correctly for me:
> >
> > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > open("/selinux/disable", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
>
> You got EACCES rather than EINVAL, so your test didn't reach the same
> point in the code path. Try it as root (and with appropriate SELinux
> role/domain if under -strict or -mls).
I tried it, and the open succeeds, but the read fails with -EINVAL
because the underlying pseudo file doesn't implement a read method at
all for that node. So the audit is only capturing the open, which was
successful.
>
> > write(2, "cat: ", 5cat: ) = 5
> >
> > type=PATH msg=audit(03/09/2007 15:21:10.652:947) : item=0
> > name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root
> > rdev=00:00 obj=system_u:object_r:security_t:s0
> > type=CWD msg=audit(03/09/2007 15:21:10.652:947) : cwd=/home/sgrubb
> > type=SYSCALL msg=audit(03/09/2007 15:21:10.652:947) : arch=i386 syscall=open
> > success=no exit=-13(Permission denied) a0=bfca4954 a1=8000 a2=0 a3=8000
> > items=1 ppid=4740 pid=4741 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb
> > suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts0
> > comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null)
> >
> > Try running with strace so you can see the open syscall.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list