shadow: what uid to log?
Steve Grubb
sgrubb at redhat.com
Wed Oct 23 16:20:13 UTC 2019
On Thursday, October 17, 2019 5:05:56 PM EDT Christian Göttsche wrote:
> I am working on migrating src:shadow to today's SELinux api and
> enabling audit logging for denials.
>From within the application? It seems that policy could be/is written to
block execution and prevent any changes. That is, unless you are allowing fine
grained controls like you can update the password but not the user name or
anything else in the database.
> The question which uid to log with 'audit_log_user_avc_message' came up.
This is normally thought of in a client/server situation such as dbus (system
not session). Dbus runs as root and has no associated login uid so in this
case you would want to know who dbus was making a decision for. It would know
who the peer is.
In the case where the application is invoked by the user, just use the uid to
whatever the account is that is being operated on. In the case where no
account exists because it is being created, then use -1.
> What is preferred for the applications like passwd, chfn, ... , which
> might be setuid binaries (getuid, geteuid, 0)?
Hope this helps...
-Steve
More information about the Linux-audit
mailing list