On Thursday, October 17, 2019 5:05:56 PM EDT Christian Göttsche wrote: > I am working on migrating src:shadow to today's SELinux api and > enabling audit logging for denials.
>From within the application? It seems that policy could be/is written to block execution and prevent any changes. That is, unless you are allowing fine grained controls like you can update the password but not the user name or anything else in the database. > The question which uid to log with 'audit_log_user_avc_message' came up. This is normally thought of in a client/server situation such as dbus (system not session). Dbus runs as root and has no associated login uid so in this case you would want to know who dbus was making a decision for. It would know who the peer is. In the case where the application is invoked by the user, just use the uid to whatever the account is that is being operated on. In the case where no account exists because it is being created, then use -1. > What is preferred for the applications like passwd, chfn, ... , which > might be setuid binaries (getuid, geteuid, 0)? Hope this helps... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
