Bug 1128838
Summary: | auditctl can not write to files | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrik Kis <pkis> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.7 | CC: | dwalsh, mmalik, sgrubb |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-261.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 07:08:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Patrik Kis
2014-08-11 15:37:32 UTC
I'm not sure /tmp would be a good place because audit rules are "secret". You'd have to worry a normal user might see them. I'd think that /root would be a typical place, though, since root users will be able to run auditctl. Another safe place might be /etc/audit/. Not sure why we are transitioning from unconfined_t to auditctl_t? Most likely this transition should be removed. It might be to protect the audit rules in the kernel from unauthorized modification. I presume the rules in /etc/audit/audit.rules can only be read by auditctl_t and then the kernel can only be written to from that same domain. Its just a guess. Well unconfined_t can read/write anything. Having confinement for sysadm_t would be fine, although, I would argue somewhat useless also. sysadm_t can setenforce 0 I would remove the transition from unconfined_t. commit 5b856315b185aba62390896127c7317ba6003413 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 2 16:11:23 2015 +0100 remove transition from unconfined user to auditctl. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |