I was running some test cases and ran into a scenario where secadm_r was
permitted to write to /var/log/audit/audit.log
I was not expecting secadm to be able to perform that operation. However
secadm_r was denied appends to the log. and I get AVC messages for append perms
in the log (See output below)
I am running with the latest .74 kernel and policy.54 in Enforcing ofcourse
It doesn't really make sense to me that secadm can completely overwrite the
audit log but can't append to it. I didn't think secadm should even have write
permission to audit log in the first place
Any thoughts on this .. ?
Thanks
- Loulwa
Here are the steps I did...
[root/secadm_r/[EMAIL PROTECTED] bin]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:secadm_r:secadm_t:SystemLow-SystemHigh
[root/secadm_r/[EMAIL PROTECTED] bin]# ls -Z /var/log/audit/audit.log
-rw-r----- root root system_u:object_r:auditd_log_t:SystemHigh
/var/log/audit/audit.log
[root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo" > /var/log/audit/audit.log
[root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
boo
[root/secadm_r/[EMAIL PROTECTED] bin]# echo "boo2" >> /var/log/audit/audit.log
-bash: /var/log/audit/audit.log: Permission denied
[root/secadm_r/[EMAIL PROTECTED] bin]# cat /var/log/audit/audit.log
boo
type=AVC msg=audit(1176408498.736:844): avc: denied { append } for pid=3853
comm="bash" name="audit.log" dev=dm-2 ino=294916
scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1176408498.736:844): arch=14 syscall=5 success=no
exit=-13 a0=1011d668 a1=10441 a2=1b6 a3=10117fc8 items=0 ppid=3850 pid=3853
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1176408498.737:845): avc: denied { append } for pid=3853
comm="bash" name="audit.log" dev=dm-2 ino=294916
scontext=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1176408498.737:845): arch=14 syscall=5 success=no
exit=-13 a0=1011d668 a1=10401 a2=0 a3=10117fc8 items=0 ppid=3850 pid=3853
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
comm="bash" exe="/bin/bash" subj=staff_u:secadm_r:secadm_t:s0-s15:c0.c1023
key=(null)
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
