Yes that would be the long term fix. But it would involve journal
labelling individual data records. IE Records from audit.log would be
audit_log_t, while messages from syslog would be var_log_t, Or some
other kind of crazyness.
On 04/24/2014 11:03 AM, Eric Paris wrote:
> On Thu, 2014-04-24
On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote:
> I don't disagree. I would think the real solution to this would be to
> not allow sysadm_t to get to SystemHigh, where all of the logging data
> will be stored.
make journalctl a userspace object manager and do selinux checks on if
it
I don't disagree. I would think the real solution to this would be to
not allow sysadm_t to get to SystemHigh, where all of the logging data
will be stored.
On 04/24/2014 09:22 AM, Eric Paris wrote:
> They would be equivalent if and only if journald had CAP_AUDIT_READ.
>
> I suggest you take
They would be equivalent if and only if journald had CAP_AUDIT_READ.
I suggest you take CAP_AUDIT_READ away from journald on systems which
need the secadm/sysadmin split (which is a ridiculously stupid split
anyway, but who am I to complain?)
On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh
They would be equivalent if and only if journald had CAP_AUDIT_READ.
I suggest you take CAP_AUDIT_READ away from journald on systems which
need the secadm/sysadmin split (which is a ridiculously stupid split
anyway, but who am I to complain?)
On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh
I don't disagree. I would think the real solution to this would be to
not allow sysadm_t to get to SystemHigh, where all of the logging data
will be stored.
On 04/24/2014 09:22 AM, Eric Paris wrote:
They would be equivalent if and only if journald had CAP_AUDIT_READ.
I suggest you take
On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote:
I don't disagree. I would think the real solution to this would be to
not allow sysadm_t to get to SystemHigh, where all of the logging data
will be stored.
make journalctl a userspace object manager and do selinux checks on if
it can
Yes that would be the long term fix. But it would involve journal
labelling individual data records. IE Records from audit.log would be
audit_log_t, while messages from syslog would be var_log_t, Or some
other kind of crazyness.
On 04/24/2014 11:03 AM, Eric Paris wrote:
On Thu, 2014-04-24 at
Meaning looking at the journal would be equivalent to looking at
/var/log/audit/audit.log.
On 04/23/2014 11:37 AM, Eric Paris wrote:
> On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
>> I guess the problem would be that the sysadm_t would be able to look at
>> the journal which would
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now contain the audit content.
On 04/23/2014 10:42 AM, Eric Paris wrote:
> On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
>> Here are the capabilities we currently give to sysadm_t with
>>
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
> I guess the problem would be that the sysadm_t would be able to look at
> the journal which would now contain the audit content.
right. so include it in the sysadm_secadm bool
>
> On 04/23/2014 10:42 AM, Eric Paris wrote:
> > On Wed,
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
> Here are the capabilities we currently give to sysadm_t with
> sysadm_secadm1.0.0Disabled
>
>allow sysadm_t sysadm_t : capability { chown dac_override
> dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
Here are the capabilities we currently give to sysadm_t with
sysadm_secadm1.0.0Disabled
allow sysadm_t sysadm_t : capability { chown dac_override
dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner
Here are the capabilities we currently give to sysadm_t with
sysadm_secadm1.0.0Disabled
allow sysadm_t sysadm_t : capability { chown dac_override
dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
Here are the capabilities we currently give to sysadm_t with
sysadm_secadm1.0.0Disabled
allow sysadm_t sysadm_t : capability { chown dac_override
dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now contain the audit content.
right. so include it in the sysadm_secadm bool
On 04/23/2014 10:42 AM, Eric Paris wrote:
On Wed,
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now contain the audit content.
On 04/23/2014 10:42 AM, Eric Paris wrote:
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
Here are the capabilities we currently give to sysadm_t with
Meaning looking at the journal would be equivalent to looking at
/var/log/audit/audit.log.
On 04/23/2014 11:37 AM, Eric Paris wrote:
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
> On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted capability read-only netlink multicast socket to kernel audit to
> > enable userspace
From: Richard Guy Briggs
Date: Tue, 22 Apr 2014 21:49:29 -0400
> On 14/04/22, David Miller wrote:
>> From: Richard Guy Briggs
>> Date: Tue, 22 Apr 2014 21:31:52 -0400
>>
>> > This is a patch set Eric Paris and I have been working on to add a
>> > restricted
>> > capability read-only netlink
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> This is a patch set Eric Paris and I have been working on to add a
> restricted capability read-only netlink multicast socket to kernel audit to
> enable userspace clients such as systemd/journald to receive audit logs, in
>
On 14/04/22, David Miller wrote:
> From: Richard Guy Briggs
> Date: Tue, 22 Apr 2014 21:31:52 -0400
>
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted
> > capability read-only netlink multicast socket to kernel audit to enable
> > userspace clients such as
From: Richard Guy Briggs
Date: Tue, 22 Apr 2014 21:31:52 -0400
> This is a patch set Eric Paris and I have been working on to add a restricted
> capability read-only netlink multicast socket to kernel audit to enable
> userspace clients such as systemd/journald to receive audit logs, in addition
This is a patch set Eric Paris and I have been working on to add a restricted
capability read-only netlink multicast socket to kernel audit to enable
userspace clients such as systemd/journald to receive audit logs, in addition
to the bidirectional auditd userspace client.
Currently, auditd has
This is a patch set Eric Paris and I have been working on to add a restricted
capability read-only netlink multicast socket to kernel audit to enable
userspace clients such as systemd/journald to receive audit logs, in addition
to the bidirectional auditd userspace client.
Currently, auditd has
From: Richard Guy Briggs r...@redhat.com
Date: Tue, 22 Apr 2014 21:31:52 -0400
This is a patch set Eric Paris and I have been working on to add a restricted
capability read-only netlink multicast socket to kernel audit to enable
userspace clients such as systemd/journald to receive audit logs,
On 14/04/22, David Miller wrote:
From: Richard Guy Briggs r...@redhat.com
Date: Tue, 22 Apr 2014 21:31:52 -0400
This is a patch set Eric Paris and I have been working on to add a
restricted
capability read-only netlink multicast socket to kernel audit to enable
userspace clients such
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
This is a patch set Eric Paris and I have been working on to add a
restricted capability read-only netlink multicast socket to kernel audit to
enable userspace clients such as systemd/journald to receive audit logs, in
addition
From: Richard Guy Briggs r...@redhat.com
Date: Tue, 22 Apr 2014 21:49:29 -0400
On 14/04/22, David Miller wrote:
From: Richard Guy Briggs r...@redhat.com
Date: Tue, 22 Apr 2014 21:31:52 -0400
This is a patch set Eric Paris and I have been working on to add a
restricted
capability
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
This is a patch set Eric Paris and I have been working on to add a
restricted capability read-only netlink multicast socket to kernel audit to
enable userspace clients such
30 matches
Mail list logo