[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: New audit-perms patch [ Re: Audit perms check on recv ]



--- Darrel Goeddel <dgoeddel trustedcs com> wrote:

> Serge E. Hallyn wrote:
> > The attached patch addresses Stephen's comments
> about re-using
> > dummy_capget code and properly checking
> capabilities in
> > selinux_netlink_send.
> > 
> > To review, it 
> > 
> >    1.  adds two new capabilities, CAP_AUDIT_READ
> and CAP_AUDIT_WRITE
> >    ...
> 
> It would seem that separate
> CAP_AUDIT_ADMIN/CAP_AUDIT_WRITE capabilities are 
> much more important than having a separate
> CAP_ADMIN_READ capability.

The POSIX Draft uses CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL, with the later required for
reading records. Irix does the same. A
capability for reading audit records seperate
from that required to disable their generation,
the logic went, is hardly necessary. 


> The 
> CAP_AUDIT_WRITE capability should only allow a
> process to generate a userspace 
> audit message.

This is consistant with POSIX.

> I think capability checks should map like this:
> 
> AUDIT_GET -> none (possibly CAP_AUDIT_ADMIN)
> AUDIT_SET -> CAP_AUDIT_ADMIN
> AUDIT_LIST -> none (possibly CAP_AUDIT_ADMIN)
> AUDIT_ADD -> CAP_AUDIT_ADMIN
> AUDIT_DEL -> CAP_AUDIT_ADMIN
> AUDIT_USER -> CAP_AUDIT_WRITE
> AUDIT_LOGIN -> CAP_AUDIT_ADMIN
> 
> The case of AUDIT_LOGIN has merit for a separate
> CAP_AUDIT_LOGIN capability 
> because this carries much more importance than
> AUDIT_USER, but we really should 
> not have the ability to mess with the rest of the
> configuration.  However, this 
> action is as important to the reliability of the
> audit logs as the configuration 
> of the audit subsystem.  I would prioritize this
> capability above CAP_AUDIT_READ 
> as well.

The granularity of capabilities should be carefully
policed. Data General had over 330 in DGUX. If it
is at all possible to get by with two, that would be
best.


=====
Casey Schaufler
casey schaufler-ca com


		
__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]