Bug 828495 - RFE: semanage port generates an audit message when modifying the policy configuration
RFE: semanage port generates an audit message when modifying the policy confi...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit (Show other bugs)
7.0
All Linux
high Severity medium
: rc
: ---
Assigned To: Steve Grubb
Milos Malik
: FutureFeature
Depends On:
Blocks: 829175
  Show dependency treegraph
 
Reported: 2012-06-04 15:35 EDT by Milos Malik
Modified: 2014-06-18 00:13 EDT (History)
2 users (show)

See Also:
Fixed In Version: audit-2.3.2-3.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 829175 (view as bug list)
Environment:
Last Closed: 2014-06-13 07:02:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2012-06-04 15:35:58 EDT
Description of problem:


Version-Release number of selected component (if applicable):
policycoreutils-2.1.11-18.el7.x86_64
policycoreutils-newrole-2.1.11-18.el7.x86_64
policycoreutils-python-2.1.11-18.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# semanage port -l | grep zope_port_t
zope_port_t                    tcp      8021
# semanage port -a -t zope_port_t -p tcp 8877
# semanage port -l | grep zope_port_t
zope_port_t                    tcp      8877, 8021
# ausearch -x semanage
<no matches>
#
  
Actual results:
* no audit messages are generated

Expected results:
* proper audit messages are generated
Comment 1 Daniel Walsh 2012-06-04 16:03:40 EDT
Not sure if this is an auditable event.
Comment 2 Steve Grubb 2012-06-05 07:54:56 EDT
Any change to the MAC policy such as changing booleans values, changing labels to ports or files, or enforcement of policy should be audited. Basically, if it affects enforcement, we need it. If there is a value to the setting, we need the previous and the new value. I think we are currently using AUDIT_MAC_CONFIG_CHANGE for the event type, which is a kernel event.
Comment 3 Milos Malik 2012-06-06 03:16:01 EDT
semanage fcontext should also generate some kind of audit message.
semanage module generates audit message of MAC_POLICY_LOAD type, but it's not clear which module was enabled or disabled.
Comment 4 Daniel Walsh 2012-06-07 14:34:13 EDT
The semanage now has AUDIT_ROLE_ASSIGN and AUDIT_ROLE_REMOVE, these definitions have nothing to do with these changes.

If we want to audit other definitions within semanage it would seem that we need new AUDIT records.  Not really sure if we can catch all the data here.  Since loading a kernel module can make similar changes.  Running something that changes the label on an object would be audited if someone was watching.
Comment 5 Daniel Walsh 2012-09-17 14:18:28 EDT
The problem with this, is we also do not audit chcon commands, which can be used to modify the label on a file.

I still have no information on what AUDIT Message should be sent on these changes.
Comment 6 Daniel Walsh 2012-10-16 13:27:26 EDT
If you want audit messages particular to ports or other stuff within semanage, we need either new audit message types or someone to define which type I should use.
Comment 7 Steve Grubb 2013-10-02 12:10:55 EDT
AUDIT_USER_MAC_CONFIG_CHANGE event identifier added upstream. It can be added to packages like this:

#ifndef AUDIT_USER_MAC_CONFIG_CHANGE
#define AUDIT_USER_MAC_CONFIG_CHANGE 2312
#endif

But I will be updating the audit package with this change.
Comment 9 Steve Grubb 2013-10-03 09:26:03 EDT
audit-2.3.2-3.el7 added the new identifier.
Comment 14 Ludek Smid 2014-06-13 07:02:45 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.