[redhat-lspp] Re: policy issues in 2.3.18-10 - auditadm_r & audit.log

Daniel J Walsh dwalsh at redhat.com
Thu Oct 19 12:10:28 UTC 2006 

Michael C Thompson wrote:
> With the following contexts:
>
> bash-3.1# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
> bash-3.1# ls -Z /var/log/audit/audit.log
> -rw-r-----  root root system_u:object_r:auditd_log_t:s15:c0.c1023 
> /var/log/audit/audit.log
>
> Doing a simple less /var/log/audit/audit.log generates the following 
> AVC records. The operation succeeds, but this seems like an excessive 
> amount of records that are being generated. Is there a reason why 
> auditadm_t is disallowed dac_override?
>

>
> type=AVC msg=audit(1161117931.187:182): avc:  denied  { dac_override } 
> for  pid=1998 comm="less" capability=1 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:182): avc:  denied  { 
> dac_read_search } for  pid=1998 comm="less" capability=2 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33 
> success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0 
> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.187:183): avc:  denied  { dac_override } 
> for  pid=1998 comm="less" capability=1 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:183): avc:  denied  { 
> dac_read_search } for  pid=1998 comm="less" capability=2 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5 
> success=no exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846 
> pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.187:184): avc:  denied  { dac_override } 
> for  pid=1998 comm="less" capability=1 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.187:184): avc:  denied  { 
> dac_read_search } for  pid=1998 comm="less" capability=2 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5 
> success=no exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0 
> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>
> type=AVC msg=audit(1161117931.195:185): avc:  denied  { dac_override } 
> for  pid=1999 comm="sh" capability=1 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=AVC msg=audit(1161117931.195:185): avc:  denied  { 
> dac_read_search } for  pid=1999 comm="sh" capability=2 
> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
> type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195 
> success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660 
> a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh" 
> exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
> key=(null)
>
>
I can add dac_override and dac_read_search, but I have no idea why they 
are needed?

Is there something in the path that root is not allowed to read?  Are 
you in a directory where root is not allowed to read?

More information about the redhat-lspp mailing list