James Antill wrote:
On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
Thanks, that's what I thought as well. Here is my result of testing this:
root linux user, id:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:staff_r:staff_t:SystemLow-SystemHigh
mcthomps linux user, id:
uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
context=user_u:user_r:user_t:SystemLow
When I have the following audit rule is
auditctl -a entry,always -S chmod -F se_clr=s0
the chmod actions taken by mcthomps get logged, but not those done by
root (this is as expected).
This means that a "range" of s0 is being interpreted as:
se_sen=''
se_clr='s0'
...which isn't what I'd expect, but given that...
I'm sorry, I do not follow what you mean here.
When the audit rule is
auditctl -a entry,always -S chmod -F se_clr=s15:c0.c255
the chmod actions taken by root get logged, but not by mcthomps (also
expected).
However, for se_sen, this does not seem to be the case. The rule:
auditctl -a entry,always -S chmod -F se_se=s0
should cause chmod actions taken by both mcthomps and root to be logged,
right? However, I'm only seeing the result of actions taken by mcthomps.
This follows the same methodology.
again, I'm confused as to what you mean.
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
