audit capability checks not audited
Steve Grubb
sgrubb at redhat.com
Tue May 17 12:52:55 UTC 2005
On Tuesday 17 May 2005 08:27, Stephen Smalley wrote:
> We're starting to see bug reports of SELinux denials with no audit
> messages in FC4/devel due to the fact that the audit capabilities are
> checked on the receive side via a direct cap_raised() test on the
> effective capability set saved earlier by the netlink_send hook.
Is the bug report in bugzilla or a mail list? I'd like to see it to figure out
what best to do.
> This manifests as programs failing in enforcing mode and working in
> permissive mode, but no audit messages being generated.
Was the program making calls into the audit system? pam is the only thing that
does that in the public. If there's a problem with pam, I need to know.
> I know there was an earlier rfc/patch by Chris to allow moving the netlink
> message checking to the send side via a new callback, which would allow us
> to perform a traditional capable() call rather than a direct cap_raised()
> test and thus have the usual auditing behavior for SELinux there. Is
> that stalled?
What are we doing wrong? Shouldn't it be a matter of calling the right selinux
function for a capabilities check after the DAC checks? That seems simpler
and has less impact on user space.
-Steve
More information about the Linux-audit
mailing list