Hello, On Thursday, January 18, 2024 7:46:13 AM EST Max Nebiun wrote: > I'm try to develop an Auditd plugin. > This plugin needs to read information about some processes by reading /proc > filesystem. But the SELinux policy applied to Auditd (and his plugins) > prevent the access. I'm using AlmaLinux release 8.8 (Sapphire Caracal) > distribution > Auditd version: audit-3.0.7-4.el8.x86_64 > SELinux Auditd plugin context: system_u:system_r:auditd_t:s0 > > If I run the plugin directly from bash, it can read all the informations it > need (but obviously it cannot receive Auditd logs )
Yes. Bash is in the user session which is likely unconfined_t. What you want to do is one of 2 things. 1). Create you own selinux policy. Start by making a transition for your program from auditd_t to your own type. You may need to change the label of the plugin to an exec_t type which you will then use to create policy placing it in it's final domain. Then run in permissive mode and restart auditd. Exercise the plugin so that you get a lot of AVCs. Then use auseach --start recent --exe=/sbin/plugin -m AVC --raw | audit2allow To create the rest of the policy. You can probably find examples similar to this on the internet...or maybe give chatGPT a shot at it. 2) Enable the audisp_af_unix plugin and rework your plugin to read from it. Your plugin should run as a service which would place it in initrc_t since it has no policy. Initrc_t is a permissive domain and you shouldn't have problems - at least from selinux. > There is a solution? The better solution is #1 above. -Steve _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
