On 05/13/2014 09:56 AM, James B. Byrne wrote:
> On Mon, May 12, 2014 14:05, Daniel J Walsh wrote:
>
>>> dac_read_search and dac_override are usually bad to add. They typically
>>> mean the permission flags on the file in question is two tight for a
>>> root process to read/use.
>>>
>>> Loosing up the group/other permissions would probably allow a root
>>> process to read the object without requiring these capabities.
>> I just wrote a quick blog on this.
>>
>> https://danwalsh.livejournal.com/69478.html
>>
>>
> So, to turn on full path reporting I do this:
>
> # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
> # service auditd restart
>
> My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux
> with respect to reporting the full path of file names in AVCs? In other
> words, why does that work?
>
This rule above does not effect SELinux at all, specifically. The rule
above tells the audit system to generate an audit messages any time a
process writes to /etc/shadow. It has the side effect of telling the
kernel to turn on full audit. Full audit gathers full paths before
making a syscall, so if SELinux blocks a syscall, the PATH record gets
generated.
The problem with turning this on by default, it it has a fairly large
performance hit. ~5%.
We only want to turn on full auditing for people who require it.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
