[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: useradd - audit_write ?

Stephen Smalley wrote:
On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:
Running selinux-policy-2.3.2-1 targeted/permissive.

Doing my usual 'yum update' of yesterday's rawhide (including
selinux-policy-2.3.2-2), I noticed this in audit log:

type=AVC msg=audit(1152799768.153:34): avc:  denied  { audit_write }
for  pid=3084 comm="useradd" capability=29
tcontext=user_u:system_r:useradd_t:s0 tclass=capability
type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0
auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user
acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0
type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102
success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0
ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
subj=user_u:system_r:useradd_t:s0 key=(null)
type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc
a2=74 a3=0 a4=bf95a270 a5=c

Yes, another program instrumented for audit generation, needs that
capability.   Why wasn't this taken care of when these programs were
originally instrumented for audit?  (We are only now getting audit
denials due to the netlink capability checking patch that went into
recent kernels, but this would have been getting denied all along, so I
would have expected it to show up in testing).

Testing in permissive mode I guess.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]