Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write policy for starting/stopping/restarting auditd #194

Open
ghost opened this issue Aug 2, 2015 · 6 comments
Open

Write policy for starting/stopping/restarting auditd #194

ghost opened this issue Aug 2, 2015 · 6 comments
Assignees
@rprevette
Labels
Code Review High Priority medium-task selinux
Milestone
Future

Comments

@ghost
Copy link

ghost commented Aug 2, 2015

type=USER_AVC msg=audit(1438545469.052:1539): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/auditd.service" cmdline="systemctl restart auditd.service" scontext=toor_u:toor_r:toor_t:s0 tcontext=system_u:object_r:auditd_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
@ghost ghost self-assigned this Aug 2, 2015
@ghost ghost added this to the RHEL_7-Beta milestone Aug 2, 2015
@ghost ghost mentioned this issue Aug 2, 2015
Closed
12 tasks
@mpalmi
Copy link
Contributor

mpalmi commented Aug 3, 2015

[toor@localhost ~]$ getenforce && systemctl restart auditd.service
Permissive
Failed to issue method call: Access denied

@ykhodorkovskiy The toor user doesn't even have the DAC perms to do this in permissive. Should this user be able to start auditd or should this perm be reserved for a privileged role?

@ghost
Copy link
Author

ghost commented Aug 3, 2015

This should only be done as root or a privileged role.

From: Mike Palmiotto [mailto:[email protected]]
Sent: Monday, August 03, 2015 12:34 PM
To: TresysTechnology/clip
Cc: Yuli Khodorkovskiy
Subject: Re: [clip] Write policy for starting/stopping/restarting auditd (#194)

[toor@localhost ~]$ getenforce && systemctl restart auditd.service
Permissive
Failed to issue method call: Access denied

@ykhodorkovskiyhttps://github.com/ykhodorkovskiy The toor user doesn't even have the DAC perms to do this in permissive. Should this user be able to start auditd or should this perm be reserved for a privileged role?


Reply to this email directly or view it on GitHubhttps://github.com//issues/194#issuecomment-127315458.

@mpalmi
Copy link
Contributor

mpalmi commented Aug 3, 2015

Ah, right. My bad. I was thinking toor_t was an unpriv user label.

@mpalmi
Copy link
Contributor

mpalmi commented Aug 7, 2015

When I attempt to stop auditd with systemctl stop auditd.service (in both Enforcing/Permissive), I get:
Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only.

It appears that the proper usage is service auditd stop/start/restart, all of which work in Enforcing on mpalmi@64322f0

@ghost
Copy link
Author

ghost commented Aug 9, 2015

Verified that this was resolved with #134. Leaving this open until #134 is merged.

@ghost ghost closed this as completed Sep 2, 2015
@minapoli
Copy link
Contributor

sudo service auditd stop
fails in enforcing

@minapoli minapoli reopened this Sep 25, 2015
@ghost ghost modified the milestones: RHEL_7_Final, RHEL_7-Beta Oct 6, 2015
@minapoli minapoli assigned rprevette and unassigned ghost Jan 6, 2016
@minapoli minapoli modified the milestones: Future, RHEL_7_Final Jan 21, 2016
@minapoli minapoli mentioned this issue Feb 10, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rprevette rprevette

Labels
Code Review High Priority medium-task selinux
Projects
None yet
Milestone
Future
Development

No branches or pull requests
3 participants
@mpalmi @rprevette @minapoli