[redhat-lspp] Re: FC5 MLS Policy: auditctl permission denied

George C. Wilson ltcgcw at us.ibm.com
Thu Mar 30 18:04:06 UTC 2006


On Thu, Mar 30, 2006 at 10:27:04AM -0600, Michael C Thompson wrote:
> Daniel J Walsh <dwalsh at redhat.com> wrote on 03/30/2006 10:06:30 AM:
> > Michael C Thompson wrote:
> > >
> > > Hey Steve,
> > >
> > > Under the FC5 MLS policy, what is the magic incantation of SELinux 
> > > role and MLS range that will make auditctl go? I've tried staff_r, 
> > > with staff_t and SystemLow, which I did not expect to work (and it 
> > > didn't). I've also tried sysadm_[rt] and secadm_[rt] with both 
> > > SystemHigh and SystemLow. So far, no combination has lead to auditctl 
> > > being usable. secadm & sysadm attempts resolve in a direct bash denial 
> 
> > > message, whereas staff _can_ execute audit, but I get the messages:
> > > "Error sending (rule/watch) list request (Permission denied)"
> > >
> > > Anyone know the magic or is this a policy bug?
> > >
> > secadm_r
> > 
> > newrole -r secadm_r -l SystemHigh
> 
> Transcript:
> 
> -bash-3.1# newrole -r secadm_r -l SystemHigh
> Authenticating root.
> Password:
> [root at dyn94141107 ~]# auditctl -l
> bash: /sbin/auditctl: Permission denied
> [root at dyn94141107 ~]# ls -alZ /sbin/auditctl
> -rwxr-x---  root     root     system_u:object_r:auditctl_exec_t:SystemLow 
> /sbin/auditctl
> [root at dyn94141107 ~]# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=root:secadm_r:secadm_t:SystemHigh
> 
> Its clear from here this is not a DAC issue, but at this point my grasp of 
> the policy is lacking. My policy packages are:
> selinux-policy-2.2.23-15
> selinux-policy-targeted-2.2.23-15
> selinux-policy-mls-2.2.23-15
> 
> Am I out of date with policy?
> 
> Thanks,
> Mike

I get the same results on pSeries.  No, your policy shouldn't be out-of-date.
If I set permissive mode and look at dmesg, I see this:

audit(1143741108.405:2485): security_compute_sid:  invalid context root:secadm_r:auditctl_t:s15:c0.c255 for scontext=root:secadm_r:secadm_t:s15:c0.c255 tcontext=system_u:object_r:auditctl_exec_t:s0 tclass=process

This is FC5 gold with the lspp.13 kernel.  I'll doublecheck to make sure
I didn't do anything unusual.

-- 
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center




More information about the redhat-lspp mailing list