[redhat-lspp] policy issues in 2.3.18-10 - auditadm_r & audit.log
Michael C Thompson
thompsmc at us.ibm.com
Tue Oct 17 20:52:18 UTC 2006
With the following contexts:
bash-3.1# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
bash-3.1# ls -Z /var/log/audit/audit.log
-rw-r----- root root system_u:object_r:auditd_log_t:s15:c0.c1023
/var/log/audit/audit.log
Doing a simple less /var/log/audit/audit.log generates the following AVC
records. The operation succeeds, but this seems like an excessive amount
of records that are being generated. Is there a reason why auditadm_t is
disallowed dac_override?
type=AVC msg=audit(1161117931.187:182): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:182): avc: denied { dac_read_search
} for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33
success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0 ppid=1846
pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.187:183): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:183): avc: denied { dac_read_search
} for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5 success=no
exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846 pid=1998
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.187:184): avc: denied { dac_override }
for pid=1998 comm="less" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.187:184): avc: denied { dac_read_search
} for pid=1998 comm="less" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5 success=no
exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0 ppid=1846 pid=1998
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 comm="less" exe="/usr/bin/less"
subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1161117931.195:185): avc: denied { dac_override }
for pid=1999 comm="sh" capability=1
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=AVC msg=audit(1161117931.195:185): avc: denied { dac_read_search
} for pid=1999 comm="sh" capability=2
scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195
success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660
a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh"
exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
More information about the redhat-lspp
mailing list