From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 01 Mar 2011 15:13:17 -0500 Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role In-Reply-To: <1299009721.14035.11.camel@tesla.lan> References: <1297836459.3205.45.camel@tesla.lan> <4D65176A.3050008@tresys.com> <1298489333.22930.14.camel@tesla.lan> <1299009721.14035.11.camel@tesla.lan> Message-ID: <4D6D535D.2050708@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2011 03:02 PM, Guido Trentalancia wrote: > Hello Christopher ! > > Finally I am getting back on this... > > On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote: >> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote: >>> On 02/16/11 01:07, Guido Trentalancia wrote: >>>> This patch adds some permissions (through interface calls) needed >>>> by the sysadm role (in particular logging permissions). >>>> >>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te >>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100 >>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100 >>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t) >>>> ubac_fd_exempt(sysadm_t) >>>> >>>> init_exec(sysadm_t) >>>> +init_stream_connect(sysadm_t) >>> >>> Is this on an upstart system? If so these two rules should probably >>> turn into init_telinit() and also that interface updated to handle >>> stream sockets. >> >> I confirm it's an upstart system. At the moment I can't check about the >> interface that you suggest to use. If it is equivalent, then that's >> fine. Is it a way to compact things ? >> >> Do you think we should use the upstart boolean here ? >> >>>> +logging_send_audit_msgs(sysadm_t) >>> >>> Why is this necessary? >> >> I am not sure. If I can get some more insight on this I will let you >> know later on or tomorrow. >> >>>> +logging_set_tty_audit(sysadm_t) >>>> >>>> # Add/remove user home directories >>>> userdom_manage_user_home_dirs(sysadm_t) > > I found the following logs about the logging calls: > > type=AVC msg=audit(1295734084.283:24): avc: denied { create } for pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > type=AVC msg=audit(1295734079.261:20): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > type=AVC msg=audit(1295734079.536:21): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > type=AVC msg=audit(1295736796.387:81): avc: denied { nlmsg_relay } for pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > type=AVC msg=audit(1294619138.946:19637): avc: denied { create } for pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > type=AVC msg=audit(1294683721.351:42): avc: denied { write } for pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket > >>From the sysadm_t context, I bet this is something interactive from the > console. And I told you already that there are a few problems from the > console. It needs to be checked carefully as soon as you have finished > to evaluate and commit the patches that I have already submitted. > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy bash has builtin audit logging. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1tU10ACgkQrlYvE4MpobMVzQCdGJSFxMEHq9vHvROwxS1JBSwP isMAn24kv49S3agafRGkJCP09Jn4cPi0 =hWTl -----END PGP SIGNATURE-----