Running selinux-policy-2.3.2-1 targeted/permissive.
Doing my usual 'yum update' of yesterday's rawhide (including selinux-policy-2.3.2-2), I noticed this in audit log:
type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write } for pid=3084 comm="useradd" capability=29 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:system_r:useradd_t:s0 tclass=capability type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0 auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102 success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0 ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=user_u:system_r:useradd_t:s0 key=(null) type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc a2=74 a3=0 a4=bf95a270 a5=c
tom
On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:
Running selinux-policy-2.3.2-1 targeted/permissive.
Doing my usual 'yum update' of yesterday's rawhide (including selinux-policy-2.3.2-2), I noticed this in audit log:
type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write } for pid=3084 comm="useradd" capability=29 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:system_r:useradd_t:s0 tclass=capability type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0 auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102 success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0 ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=user_u:system_r:useradd_t:s0 key=(null) type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc a2=74 a3=0 a4=bf95a270 a5=c
Yes, another program instrumented for audit generation, needs that capability. Why wasn't this taken care of when these programs were originally instrumented for audit? (We are only now getting audit denials due to the netlink capability checking patch that went into recent kernels, but this would have been getting denied all along, so I would have expected it to show up in testing).
Stephen Smalley wrote:
On Thu, 2006-07-13 at 07:16 -0700, Tom London wrote:
Running selinux-policy-2.3.2-1 targeted/permissive.
Doing my usual 'yum update' of yesterday's rawhide (including selinux-policy-2.3.2-2), I noticed this in audit log:
type=AVC msg=audit(1152799768.153:34): avc: denied { audit_write } for pid=3084 comm="useradd" capability=29 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:system_r:useradd_t:s0 tclass=capability type=USER_CHAUTHTOK msg=audit(1152799768.153:35): user pid=3084 uid=0 auid=500 subj=user_u:system_r:useradd_t:s0 msg='op=adding user acct=dbus exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=SYSCALL msg=audit(1152799768.153:34): arch=40000003 syscall=102 success=yes exit=116 a0=b a1=bf95a240 a2=6ecff4 a3=bf96068e items=0 ppid=3083 pid=3084 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=user_u:system_r:useradd_t:s0 key=(null) type=SOCKADDR msg=audit(1152799768.153:34): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1152799768.153:34): nargs=6 a0=3 a1=bf95e4dc a2=74 a3=0 a4=bf95a270 a5=c
Yes, another program instrumented for audit generation, needs that capability. Why wasn't this taken care of when these programs were originally instrumented for audit? (We are only now getting audit denials due to the netlink capability checking patch that went into recent kernels, but this would have been getting denied all along, so I would have expected it to show up in testing).
Testing in permissive mode I guess.
Yes, another program instrumented for audit generation, needs that capability.
There's a lot of them. Someone needs to look at all the places where CAP_AUDIT_WRITE and CONTROL were and update the policy. This broke about 2-3 weeks ago. This stuff used to work.
Why wasn't this taken care of when these programs were originally instrumented for audit?
They were. Something broke a couple weeks ago. Look back when someone reported the hwclock problem. That's when all this occurred. I thought it would have been fixed, too.
-Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 7/13/06, Steve G linux_4ever@yahoo.com wrote:
Yes, another program instrumented for audit generation, needs that capability.
There's a lot of them. Someone needs to look at all the places where CAP_AUDIT_WRITE and CONTROL were and update the policy. This broke about 2-3 weeks ago. This stuff used to work.
Why wasn't this taken care of when these programs were originally instrumented for audit?
They were. Something broke a couple weeks ago. Look back when someone reported the hwclock problem. That's when all this occurred. I thought it would have been fixed, too.
-Steve
Also one for groupadd:
type=AVC msg=audit(1152800976.477:60): avc: denied { audit_write } for pid=5737 comm="groupadd" capability=29 scontext=user_u:system_r:groupadd_t:s0 tcontext=user_u:system_r:groupadd_t:s0 tclass=capability type=USER_CHAUTHTOK msg=audit(1152800976.477:61): user pid=5737 uid=0 auid=500 subj=user_u:system_r:groupadd_t:s0 msg='op=adding group acct=rpm exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=? res=failed)' type=SYSCALL msg=audit(1152800976.477:60): arch=40000003 syscall=102 success=yes exit=112 a0=b a1=bfaf66e0 a2=6ecff4 a3=bfafcb2e items=0 ppid=5736 pid=5737 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="groupadd" exe="/usr/sbin/groupadd" subj=user_u:system_r:groupadd_t:s0 key=(null) type=SOCKADDR msg=audit(1152800976.477:60): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1152800976.477:60): nargs=6 a0=3 a1=bfafa97c a2=70 a3=0 a4=bfaf6710 a5=c
selinux@lists.fedoraproject.org