auditctl se_sen & se_clr

Michael C Thompson thompsmc at us.ibm.com
Fri May 19 19:30:21 UTC 2006


James Antill wrote:
> On Fri, 2006-05-19 at 12:44 -0500, Michael C Thompson wrote:
>> James Antill wrote:
>>> On Fri, 2006-05-19 at 10:30 -0500, Michael C Thompson wrote:
>>>
>>>> Thanks, that's what I thought as well. Here is my result of testing this:
>>>>
>>>> root linux user, id:
>>>> context=root:staff_r:staff_t:SystemLow-SystemHigh
>>>>
>>>> mcthomps linux user, id:
>>>> context=user_u:user_r:user_t:SystemLow
>>>>
>>>> When I have the following audit rule is
>>>>    auditctl -a entry,always -S chmod -F se_clr=s0
>>>> the chmod actions taken by mcthomps get logged, but not those done by 
>>>> root (this is as expected).
>>>  This means that a "range" of s0 is being interpreted as:
>>>
>>> se_sen=''
>>> se_clr='s0'
>>>
>>> ...which isn't what I'd expect, but given that...
>> I'm sorry, I do not follow what you mean here.
> 
>  The mls range for root is s0-s0:c0.c255, where:
> 
>  se_sen = s0
>  se_clr = s0:c0.c255

Right, this makes sense.

>  The mls range for mcthomps is s0, given the above works then:
> 
>  se_clr = s0
> 
> ...and given the range is s0 and not s0-s0 then se_sen must be blank
> (and so won't match s0).


AFIAK, you must have both a low and a high, which means for mcthomps, 
se_sen=0 and se_clr=s0.

The testing that I have done with auditctl's se_sen and se_clr filters 
has the se_clr working for both the root user and the mcthomps user, but 
  se_sen only captures audit events for mcthomps when:
auditctl -a entry,always -S chmod -F se_sen=s0

I would expect that since se_sen=s0 for both root and mcthomps, that 
both of their chmod actions would be logged, but root's actions are not 
being captured.

This leads me to believe either our definition of se_sen is wrong, or if 
our definition of se_sen is correct, then the implementation of se_sen 
has some bug in it.

Thanks,
Mike




More information about the Linux-audit mailing list