auditctl se_sen & se_clr
James Antill
jantill at redhat.com
Fri May 19 19:19:35 UTC 2006
On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote:
> James Antill wrote:
> > On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
> >
> >> Thanks, that's what I thought as well. Here is my result of testing this:
> >>
> >> root linux user, id:
> >> context=root:staff_r:staff_t:SystemLow-SystemHigh
> >>
> >> mcthomps linux user, id:
> >> context=user_u:user_r:user_t:SystemLow
> >>
> >> When I have the following audit rule is
> >> auditctl -a entry,always -S chmod -F se_clr=s0
> >> the chmod actions taken by mcthomps get logged, but not those done by
> >> root (this is as expected).
> >
> > This means that a "range" of s0 is being interpreted as:
> >
> > se_sen=''
> > se_clr='s0'
> >
> > ...which isn't what I'd expect, but given that...
>
> I'm sorry, I do not follow what you mean here.
The mls range for root is s0-s0:c0.c255, where:
se_sen = s0
se_clr = s0:c0.c255
The mls range for mcthomps is s0, given the above works then:
se_clr = s0
...and given the range is s0 and not s0-s0 then se_sen must be blank
(and so won't match s0).
--
James Antill
<james.antill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060519/b9d890f2/attachment.sig>
More information about the Linux-audit
mailing list