type=USER_ROLE_CHANGE
Michael C Thompson
thompsmc at us.ibm.com
Mon Jul 17 18:02:15 UTC 2006
Steve Grubb wrote:
> On Thursday 13 July 2006 17:03, Michael C Thompson wrote:
>> In doing some tests, I've noticed that the USER_ROLE_CHANGE audit record
>> is associated with both newrole, and semanage user -[ad].
>
> semanage should also be using these:
>
> #define AUDIT_ROLE_ASSIGN 2301 /* Admin assigned user to role */
> #define AUDIT_ROLE_REMOVE 2302 /* Admin removed user from role */
>
> USER_ROLE_CHANGE should only be used when newrole is used. If semanage needs
> more record types let me know.
>
> -Steve
Hey Steve,
I do not believe these messages are implemented, or at least are not
properly used, in semanage. Doing semanage user changes or semanage
login changes only result in USER_ROLE_CHANGE messages.
'semanage user -d deleteme_u' yeilds:
type=USER_ROLE_CHANGE msg=audit(1153152594.356:685): user pid=10862
uid=0 auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c255 msg='op=delete
SELinux user record acct=deleteme_u old-seuser=? old-role=? old-range=?
new-seuser=? new-role=? new-range=? exe=/usr/sbin/semanage (hostname=?,
addr=?, terminal=pts/2 res=success)'
This is seen with policycoreutils-1.30.17-2.
Thanks,
Mike
More information about the Linux-audit
mailing list