filename not audited for openat() on F28

Richard Guy Briggs rgb at redhat.com
Tue Apr 24 16:40:50 UTC 2018 

On 2018-04-20 15:20, Jiri Jaburek wrote:
> (Please CC me on replies.)
> 
> Hello,
> I'm trying to run the audit-test suite on Fedora 28 and am running into
> it expecting a name= field in the SYSCALL entry.
> 
> augrok --seek=697600 -m1 type==SYSCALL         syscall=openat success=no
> pid=3951 auid=1000         uid=0 euid=0 suid=0 fsuid=0         gid=0
> egid=0 sgid=0 fsgid=0 exit=-13
> subj=staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
> name=tmp.owfFtgPOjx/new

Can you distill this down to one rule and one action that trigger this
so I can do some testing on other versions?  I see no "key=" label on
the rule (explicit or implicit) that triggered it.

This is a bit of a surprise, but I have been doing some work in that
area and I'd like to see if any of it might have caused it.  I'm
doubtful, but would like to track it down to see if it was intentional
or not.

> Fedora 28:
> 
> ----
> time->Fri Apr 20 15:04:59 2018
> type=PROCTITLE msg=audit(1524229499.918:366591):
> proctitle=2F62696E2F62617368002E2F72756E2E62617368002D647600323734
> type=PATH msg=audit(1524229499.918:366591): item=0
> name="tmp.J4IQL7Buxe/" inode=1055495 dev=fd:02 mode=040700 ouid=0 ogid=0
> rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 nametype=PARENT
> cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=CWD msg=audit(1524229499.918:366591):
> cwd="/usr/local/eal4_testing/audit-test/syscalls"
> type=SYSCALL msg=audit(1524229499.918:366591): arch=c000003e syscall=257
> success=no exit=-13 a0=3 a1=7ffc02f0eaf6 a2=c0 a3=16b6010 items=1
> ppid=5275 pid=5276 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=2 comm="do_openat"
> exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
> subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
> type=AVC msg=audit(1524229499.918:366591): avc:  denied  { create } for
> pid=5276 comm="do_openat" name="new"
> scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
> tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
> ----
> 
> RHEL-7.5:
> 
> ----
> time->Fri Apr 20 15:06:59 2018
> type=PROCTITLE msg=audit(1524229619.726:56605):
> proctitle=72756E636F6E0073746166665F753A6C7370705F746573745F723A6C7370705F746573745F67656E657269635F743A53797374656D4869676800646F5F6F70656E6174002F746D7000746D702E30674C74574A336977622F6E6577006372656174650073746166665F753A6F626A6563745F723A757365725F746D705F743A53
> type=PATH msg=audit(1524229619.726:56605): item=1
> name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
> cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=PATH msg=audit(1524229619.726:56605): item=0 name="tmp.0gLtWJ3iwb/"
> inode=1055489 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00
> obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 objtype=PARENT
> cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=CWD msg=audit(1524229619.726:56605):
> cwd="/usr/local/eal4_testing/audit-test/syscalls"
> type=SYSCALL msg=audit(1524229619.726:56605): arch=c000003e syscall=257
> success=no exit=-13 a0=3 a1=7ffc1ecd6b57 a2=c0 a3=0 items=2 ppid=20750
> pid=20751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=1595 comm="do_openat"
> exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
> subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
> ----
> 
> The key difference here is probably the absence of
> 
> type=PATH msg=audit(1524229619.726:56605): item=1
> name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
> cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> 
> on Fedora 28, which augrok looks for.
> 
> Is this expected?
> 
> 
> 
> I'm seeing something similar with other syscalls like
> 
> creat("/tmp/tmp.9EsMgMuio7/new", 0700)
> 
> producing
> 
> ----
> type=PROCTITLE msg=audit(04/20/2018 15:15:35.547:371576) :
> proctitle=runcon staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
> do_creat /tmp/tmp.9EsMgMuio7/new staff_u:object_r:user_tmp_t:SystemLow
> type=PATH msg=audit(04/20/2018 15:15:35.547:371576) : item=0
> name=/tmp/tmp.9EsMgMuio7/ inode=1572964 dev=fd:02 mode=dir,700 ouid=root
> ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
> nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(04/20/2018 15:15:35.547:371576) :
> cwd=/usr/local/eal4_testing/audit-test/syscalls
> type=SYSCALL msg=audit(04/20/2018 15:15:35.547:371576) : arch=x86_64
> syscall=creat success=no exit=EACCES(Permission denied)
> a0=0x7ffc41d04af9 a1=0700 a2=0x0 a3=0x0 items=1 ppid=6779 pid=6780
> auid=eal uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=2 comm=do_creat
> exe=/usr/local/eal4_testing/audit-test/utils/bin/do_creat
> subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
> type=AVC msg=audit(04/20/2018 15:15:35.547:371576) : avc:  denied  {
> create } for  pid=6780 comm=do_creat name=new
> scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
> tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
> ----
> 
> but the lack of "/new" in PATH here seems more like a bug.
> 
> Thanks,
> Jiri

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list