[RFC] Obtaining PATH entry without audit userland
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 11 13:40:09 UTC 2008
On Thu, 2008-01-10 at 19:32 -0500, Steve Grubb wrote:
> On Thursday 10 January 2008 19:27:18 Yuichi Nakamura wrote:
> > One example of AVC message in 2.6.24.rc1 is below.
> > #Type is broken for testing, do not warry about that :)
> > audit(946684824.060:5): avc: denied { read } for pid=796 comm="httpd"
> > name="index.html" dev=sda1 ino=61906 scontext=system_u:system_r:httpd_t
> > tcontext=system_u:object_r:etc_shadow_t tclass=file audit(946684824.060:5):
> > arch=2a syscall=5 per=800000 success=yes exit=5 a0=48d490 a1=0 a2=1b6
> > a3=1b6 items=1 ppid=795 pid=796 auid=4294967295 uid=99 gid=99 euid=99
> > suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="httpd"
> > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t key=(null)
> >
> > File name appears as name="index.html".
>
> How can we recreate the problem so that we can see what is going on?
Just trigger a denial on open(2) without any audit rules configured.
Then, audit system doesn't collect pathname info due to the
"optimization" to not collect information without syscall filters, and
SELinux doesn't get the vfsmount (reliably) in selinux_inode_permission,
so it cannot generate a path either.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list