Re: OpenDKIM and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 05/13/2014 09:56 AM, James B. Byrne wrote:
> On Mon, May 12, 2014 14:05, Daniel J Walsh wrote:
>
>>> dac_read_search and dac_override are usually bad to add. They typically
>>> mean the permission flags on the file in question is two tight for a
>>> root process to read/use.
>>>
>>> Loosing up the group/other permissions would probably allow a root
>>> process to read the object without requiring these capabities.
>> I just wrote a quick blog on this.
>>
>> https://danwalsh.livejournal.com/69478.html
>>
>>
> So, to turn on full path reporting I do this:
>
> # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
> # service auditd restart
>
> My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux
> with respect to reporting the full path of file names in AVCs?  In other
> words, why does that work?
>
This rule above does not effect SELinux at all, specifically.  The rule
above tells the audit system to generate an audit messages any time a
process writes to /etc/shadow.  It has the side effect of telling the
kernel to turn on full audit. Full audit gathers full paths before
making a syscall, so if SELinux blocks a syscall, the PATH record gets
generated.

The problem with turning this on by default, it it has a fairly large
performance hit.  ~5%. 
We only want to turn on full auditing for people who require it. 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux