[redhat-lspp] Re: policy issues in 2.3.18-10 - auditadm_r & audit.log

Thu Oct 19 15:04:12 UTC 2006

Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> With the following contexts:
>>
>> bash-3.1# id
>> uid=0(root) gid=0(root) 
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
>> context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> bash-3.1# ls -Z /var/log/audit/audit.log
>> -rw-r-----  root root system_u:object_r:auditd_log_t:s15:c0.c1023 
>> /var/log/audit/audit.log
>>
>> Doing a simple less /var/log/audit/audit.log generates the following 
>> AVC records. The operation succeeds, but this seems like an excessive 
>> amount of records that are being generated. Is there a reason why 
>> auditadm_t is disallowed dac_override?
>>
> 
>>
>> type=AVC msg=audit(1161117931.187:182): avc:  denied  { dac_override } 
>> for  pid=1998 comm="less" capability=1 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:182): avc:  denied  { 
>> dac_read_search } for  pid=1998 comm="less" capability=2 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33 
>> success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0 
>> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
>> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.187:183): avc:  denied  { dac_override } 
>> for  pid=1998 comm="less" capability=1 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:183): avc:  denied  { 
>> dac_read_search } for  pid=1998 comm="less" capability=2 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5 
>> success=no exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846 
>> pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>> fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.187:184): avc:  denied  { dac_override } 
>> for  pid=1998 comm="less" capability=1 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:184): avc:  denied  { 
>> dac_read_search } for  pid=1998 comm="less" capability=2 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5 
>> success=no exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0 
>> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
>> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less" 
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.195:185): avc:  denied  { dac_override } 
>> for  pid=1999 comm="sh" capability=1 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.195:185): avc:  denied  { 
>> dac_read_search } for  pid=1999 comm="sh" capability=2 
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195 
>> success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660 
>> a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0 
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh" 
>> exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 
>> key=(null)
>>
>>
> I can add dac_override and dac_read_search, but I have no idea why they 
> are needed?
> 
> Is there something in the path that root is not allowed to read?  Are 
> you in a directory where root is not allowed to read?

Ah, yes, I see it now. I hate when I overlook the obvious. These are 
being generated because I am logging in with a non-root user, su'ing to 
root, and then newroling to auditadm_r - the end resulting being root 
needing these privilages to read contents of that user's home directory.

If its not an issue, it would be nice to have these DAC overrides 
associated with the administrative roles, since they will need to be 
acting as DAC root is most every useful scenario.

Thanks,
Mike