On Mon, May 12, 2014 14:05, Daniel J Walsh wrote:
dac_read_search and dac_override are usually bad to add. They typically mean the permission flags on the file in question is two tight for a root process to read/use.
Loosing up the group/other permissions would probably allow a root process to read the object without requiring these capabities.
I just wrote a quick blog on this.
So, to turn on full path reporting I do this:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart
My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux with respect to reporting the full path of file names in AVCs? In other words, why does that work?
On 05/13/2014 09:56 AM, James B. Byrne wrote:
On Mon, May 12, 2014 14:05, Daniel J Walsh wrote:
dac_read_search and dac_override are usually bad to add. They typically mean the permission flags on the file in question is two tight for a root process to read/use.
Loosing up the group/other permissions would probably allow a root process to read the object without requiring these capabities.
I just wrote a quick blog on this.
So, to turn on full path reporting I do this:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart
My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux with respect to reporting the full path of file names in AVCs? In other words, why does that work?
This rule above does not effect SELinux at all, specifically. The rule above tells the audit system to generate an audit messages any time a process writes to /etc/shadow. It has the side effect of telling the kernel to turn on full audit. Full audit gathers full paths before making a syscall, so if SELinux blocks a syscall, the PATH record gets generated.
The problem with turning this on by default, it it has a fairly large performance hit. ~5%. We only want to turn on full auditing for people who require it.
-
Daniel J Walsh -
James B. Byrne