Bug 597565
| Summary: | sudo ausearch can be pointed at non auditd_log_t files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | LC Bruzenak <lenny> |
| Component: | mlmmj | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, joe, lenny, mfleming+rpm, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-03 21:19:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
LC Bruzenak
2010-05-29 15:54:30 UTC
This would not be a audit problem. You would need to make sure that sudo's pam stack is set such that you are in a restricted role and that selinux policy forbids ausearch from opening any other files. I agree; I don't know about the pam part but policy certainly. Would I reassign it to "policy"? Reassiging to rawhide. I think you are requesting that an unconfined user setup to use sudo would suddenly transition to another role when running ausearch? I don't know if it is really transiting to another role; maybe the role it is in is too powerful? I believe it is now allowed to cross DAC boundaries. Here is an example (jcdxdev account is only allowed to ausearch in the sudoers file): [jcdxdev@slim ~]$ id uid=501(jcdxdev) gid=501(jcdxdev) groups=501(jcdxdev) context=user_u:user_r:user_t:s0 [jcdxdev@slim ~]$ cat /etc/audit/auditd.conf cat: /etc/audit/auditd.conf: Permission denied [jcdxdev@slim ~]$ sudo !! sudo cat /etc/audit/auditd.conf [sudo] password for jcdxdev: Sorry, user jcdxdev is not allowed to execute '/bin/cat /etc/audit/auditd.conf' as root on slim. [jcdxdev@slim ~]$ sudo ausearch -if /etc/audit/auditd.conf [sudo] password for jcdxdev: ---- time->Wed Nov 11 18:53:36 1970 # ---- time->Wed Nov 11 18:53:36 1970 # This file controls the configuration of the audit daemon ---- time->Wed Nov 11 18:53:36 1970 # .... The DAC/MAC on the auditd.conf file is: -rw-r----- root root system_u:object_r:auditd_etc_t:s15:c0.c1023 /etc/audit/auditd.conf whereas the audit files intended to be searched are: -rw------- root root system_u:object_r:auditd_log_t:s15:c0.c1023 audit.log I would think it would be best to say that the ausearch executable should only be able to access files of the auditd_log_t type. Right? Here is the sudoers entry (machine name "slim"): jcdxdev slim=/sbin/ausearch sudo has a '-r' option to change roles. You can add SELinux policy for this but you could also just create a script. I would recommend that you install a shell that will only allow certain ausearch commands Maybe just eliminate the -if flag. # more /usr/bin/myausearch #!/bin/sh for i in $*;do if [ $i == "-if" ]; then echo '"-if" option is not allowed' exit -1; fi ; done ausearch $* Then just allow your user to execute myausearch OK; thanks Dan. If you think it should be fixed this way then this bug can be closed as far as I'm concerned. I appreciate the info! |