FC5 MLS Policy: auditctl permission denied
Michael C Thompson
mcthomps at us.ibm.com
Thu Mar 30 16:27:04 UTC 2006
Daniel J Walsh <dwalsh at redhat.com> wrote on 03/30/2006 10:06:30 AM:
> Michael C Thompson wrote:
> >
> > Hey Steve,
> >
> > Under the FC5 MLS policy, what is the magic incantation of SELinux
> > role and MLS range that will make auditctl go? I've tried staff_r,
> > with staff_t and SystemLow, which I did not expect to work (and it
> > didn't). I've also tried sysadm_[rt] and secadm_[rt] with both
> > SystemHigh and SystemLow. So far, no combination has lead to auditctl
> > being usable. secadm & sysadm attempts resolve in a direct bash denial
> > message, whereas staff _can_ execute audit, but I get the messages:
> > "Error sending (rule/watch) list request (Permission denied)"
> >
> > Anyone know the magic or is this a policy bug?
> >
> secadm_r
>
> newrole -r secadm_r -l SystemHigh
Transcript:
-bash-3.1# newrole -r secadm_r -l SystemHigh
Authenticating root.
Password:
[root at dyn94141107 ~]# auditctl -l
bash: /sbin/auditctl: Permission denied
[root at dyn94141107 ~]# ls -alZ /sbin/auditctl
-rwxr-x--- root root system_u:object_r:auditctl_exec_t:SystemLow
/sbin/auditctl
[root at dyn94141107 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:secadm_r:secadm_t:SystemHigh
Its clear from here this is not a DAC issue, but at this point my grasp of
the policy is lacking. My policy packages are:
selinux-policy-2.2.23-15
selinux-policy-targeted-2.2.23-15
selinux-policy-mls-2.2.23-15
Am I out of date with policy?
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060330/a4fed1cb/attachment.htm>
More information about the Linux-audit
mailing list