On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote:
> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote:
> > > New log context
> > > Allow setting audit tty
> > > Fixing interfaces
> >
> > Why are the sockets being set to system high? Same thing for the pid
> > file? They don't have sensitive data.
>
> /var/run/audispd_events and the pid file is the only thing I recognize as being
> from the audit system. The audit system and everything related to it must be
> at system high.
Again, why? The socket and pid file do not have sensitive data. The
daemon and the log files have the sensitive data.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 03/19/2010 08:14 AM, Christopher J. PeBenito wrote:
> On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote:
>
>> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote:
>>
>>>> New log context
>>>> Allow setting audit tty
>>>> Fixing interfaces
>>>>
>>> Why are the sockets being set to system high? Same thing for the pid
>>> file? They don't have sensitive data.
>>>
>> /var/run/audispd_events and the pid file is the only thing I recognize as being
>> from the audit system. The audit system and everything related to it must be
>> at system high.
>>
> Again, why? The socket and pid file do not have sensitive data. The
> daemon and the log files have the sensitive data.
>
>
So your saying the ability to connect to the socket is going to be
blocked on the connecto based on the level of the process on the other
end of the socket.
setroubleshoot_t:SystemLow is not going to be able to connectto
auditd_t:SystemHigh no matter what the socket and pid file are labeled.
On Fri, 2010-03-19 at 08:22 -0400, Daniel J Walsh wrote:
> On 03/19/2010 08:14 AM, Christopher J. PeBenito wrote:
> > On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote:
> >
> >> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote:
> >>
> >>>> New log context
> >>>> Allow setting audit tty
> >>>> Fixing interfaces
> >>>>
> >>> Why are the sockets being set to system high? Same thing for the pid
> >>> file? They don't have sensitive data.
> >>>
> >> /var/run/audispd_events and the pid file is the only thing I recognize as being
> >> from the audit system. The audit system and everything related to it must be
> >> at system high.
> >>
> > Again, why? The socket and pid file do not have sensitive data. The
> > daemon and the log files have the sensitive data.
> >
> >
> So your saying the ability to connect to the socket is going to be
> blocked on the connecto based on the level of the process on the other
> end of the socket.
>
> setroubleshoot_t:SystemLow is not going to be able to connectto
> auditd_t:SystemHigh no matter what the socket and pid file are labeled.
I'm not sure what you're trying to argue. The connectto is of course
going to be checked if a connect gets past the MAC write check on the
sock_file.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 03/19/2010 10:13 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-03-19 at 08:22 -0400, Daniel J Walsh wrote:
>
>> On 03/19/2010 08:14 AM, Christopher J. PeBenito wrote:
>>
>>> On Thu, 2010-03-18 at 16:15 -0400, Steve Grubb wrote:
>>>
>>>
>>>> On Thursday 18 March 2010 01:12:36 pm Daniel J Walsh wrote:
>>>>
>>>>
>>>>>> New log context
>>>>>> Allow setting audit tty
>>>>>> Fixing interfaces
>>>>>>
>>>>>>
>>>>> Why are the sockets being set to system high? Same thing for the pid
>>>>> file? They don't have sensitive data.
>>>>>
>>>>>
>>>> /var/run/audispd_events and the pid file is the only thing I recognize as being
>>>> from the audit system. The audit system and everything related to it must be
>>>> at system high.
>>>>
>>>>
>>> Again, why? The socket and pid file do not have sensitive data. The
>>> daemon and the log files have the sensitive data.
>>>
>>>
>>>
>> So your saying the ability to connect to the socket is going to be
>> blocked on the connecto based on the level of the process on the other
>> end of the socket.
>>
>> setroubleshoot_t:SystemLow is not going to be able to connectto
>> auditd_t:SystemHigh no matter what the socket and pid file are labeled.
>>
> I'm not sure what you're trying to argue. The connectto is of course
> going to be checked if a connect gets past the MAC write check on the
> sock_file.
>
>
I am agreeing with you, by saying the connectto check will block no
matter what the socket permission is.
But on Steve's point of view. We would have to jump through hoops to
get auditd to create the pid file and socket at SystemLow, Since it runs
at SystemHigh.