[redhat-lspp] Re: policy issues in 2.3.18-10 - auditadm_r & audit.log
Michael C Thompson
thompsmc at us.ibm.com
Thu Oct 19 15:04:12 UTC 2006
Daniel J Walsh wrote:
> Michael C Thompson wrote:
>> With the following contexts:
>>
>> bash-3.1# id
>> uid=0(root) gid=0(root)
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>> context=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> bash-3.1# ls -Z /var/log/audit/audit.log
>> -rw-r----- root root system_u:object_r:auditd_log_t:s15:c0.c1023
>> /var/log/audit/audit.log
>>
>> Doing a simple less /var/log/audit/audit.log generates the following
>> AVC records. The operation succeeds, but this seems like an excessive
>> amount of records that are being generated. Is there a reason why
>> auditadm_t is disallowed dac_override?
>>
>
>>
>> type=AVC msg=audit(1161117931.187:182): avc: denied { dac_override }
>> for pid=1998 comm="less" capability=1
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:182): avc: denied {
>> dac_read_search } for pid=1998 comm="less" capability=2
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:182): arch=14 syscall=33
>> success=no exit=-13 a0=fefcdfec a1=4 a2=0 a3=fefefeff items=0
>> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.187:183): avc: denied { dac_override }
>> for pid=1998 comm="less" capability=1
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:183): avc: denied {
>> dac_read_search } for pid=1998 comm="less" capability=2
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:183): arch=14 syscall=5
>> success=no exit=-13 a0=100400d8 a1=10000 a2=0 a3=73 items=0 ppid=1846
>> pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.187:184): avc: denied { dac_override }
>> for pid=1998 comm="less" capability=1
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.187:184): avc: denied {
>> dac_read_search } for pid=1998 comm="less" capability=2
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.187:184): arch=14 syscall=5
>> success=no exit=-13 a0=10042200 a1=10000 a2=1b6 a3=1b6 items=0
>> ppid=1846 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts2 comm="less" exe="/usr/bin/less"
>> subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 key=(null)
>>
>> type=AVC msg=audit(1161117931.195:185): avc: denied { dac_override }
>> for pid=1999 comm="sh" capability=1
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=AVC msg=audit(1161117931.195:185): avc: denied {
>> dac_read_search } for pid=1999 comm="sh" capability=2
>> scontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> tcontext=staff_u:auditadm_r:auditadm_t:s15:c0.c1023 tclass=capability
>> type=SYSCALL msg=audit(1161117931.195:185): arch=14 syscall=195
>> success=no exit=-13 a0=100b0b10 a1=fe36f660 a2=fe36f660
>> a3=fffffffffefefeff items=0 ppid=1998 pid=1999 auid=500 uid=0 gid=0
>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="sh"
>> exe="/bin/bash" subj=staff_u:auditadm_r:auditadm_t:s15:c0.c1023
>> key=(null)
>>
>>
> I can add dac_override and dac_read_search, but I have no idea why they
> are needed?
>
> Is there something in the path that root is not allowed to read? Are
> you in a directory where root is not allowed to read?
Ah, yes, I see it now. I hate when I overlook the obvious. These are
being generated because I am logging in with a non-root user, su'ing to
root, and then newroling to auditadm_r - the end resulting being root
needing these privilages to read contents of that user's home directory.
If its not an issue, it would be nice to have these DAC overrides
associated with the administrative roles, since they will need to be
acting as DAC root is most every useful scenario.
Thanks,
Mike
More information about the redhat-lspp
mailing list