[redhat-lspp] Re: policy issues in 2.3.18-10 - auditadm_r & audit.log
Daniel J Walsh
dwalsh at redhat.com
Thu Oct 19 12:10:28 UTC 2006
Michael C Thompson wrote:
> With the following contexts:
>
> bash-3.1# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> bash-3.1# ls -Z /var/log/audit/audit.log
> -rw-r----- root root system_u:object_r:auditd_log_t:s15:c0.c1023
> /var/log/audit/audit.log
>
> Doing a simple less /var/log/audit/audit.log generates the following
> AVC records. The operation succeeds, but this seems like an excessive
> amount of records that are being generated. Is there a reason why
> auditadm_t is disallowed dac_override?
>
>
> type=AVC msg=audit(1161117931.187:182): avc: denied { dac_override }
> for pid=1998 comm="less" capability=1
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:182): avc: denied {
> dac_read_search } for pid=1998 comm="less" capability=2
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33
> success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0
> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.187:183): avc: denied { dac_override }
> for pid=1998 comm="less" capability=1
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:183): avc: denied {
> dac_read_search } for pid=1998 comm="less" capability=2
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5
> success=no exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846
> pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.187:184): avc: denied { dac_override }
> for pid=1998 comm="less" capability=1
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:184): avc: denied {
> dac_read_search } for pid=1998 comm="less" capability=2
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5
> success=no exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0
> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.195:185): avc: denied { dac_override }
> for pid=1999 comm="sh" capability=1
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.195:185): avc: denied {
> dac_read_search } for pid=1999 comm="sh" capability=2
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195
> success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660
> a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh"
> exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> key=(null)
>
>
I can add dac_override and dac_read_search, but I have no idea why they
are needed?
Is there something in the path that root is not allowed to read? Are
you in a directory where root is not allowed to read?
More information about the redhat-lspp
mailing list