"Missing" Audit logging in permissive mode

Ted Rule <ejtr@xxxxxxxxxxxx> · Fri, 4 Sep 2015 13:54:09 +0100



      Whilst trying to debug a Web
        application recently, I had cause to temporarily run the httpd_t
        domain in permissive mode in order

        to work out what extra ACLs/Labels might be required.

        
        In the audit log I noticed that there appeared to be very few
        AVC messages compared to the number of files and directories
        created and modified by the httpd_t domain within a user_home_t
        subtree.

        
        Having built a little test-bed for the issue, I found that with
        the system in fully-enforcing mode, I got an AVC for every type
        of every file access denied, as expected.

        
        However, in permissive mode, what seems to happen is that the
        audit contains only the first AVC corresponding to any given
        "policy quadruple" of Source Domain, Target Domain, Target Class
        and Permission. If I re-ran the test script, the audit log for
        the same events was quiet, even if I used different filenames.

        
        If I run a different test trying "httpd_t, user_home_t, file,
        read" instead of "httpd_t, user_home_t, file, write" after
        having previously seen a single log entry for "httpd_t,
        user_home_t, file, read", then I DO see the "write" being
        logged, but again, it's only the first instance that gets
        logged.

        
        If I turn the permissive mode off and on again, and re-run the
        tests, I get another single AVC in the audit log for each
        "policy quadruple".

        
        My reading of the results I see so far is that the action of
        permitting but logging an action within the SELinux engine
        causes the corresponding "policy quadruple" to be somehow cached
        in the kernel state after the first log entry is created, but
        that subsequent actions are not logged if a cache entry already
        exists. This presumably relates to SELinux's Access Vector
        Cache, given what I read elsewhere.

        
        One thought was that the quietness in the log was related to
        SELinux trying to avoid overloading auditd with messages, and
        that perhaps the cached state might timeout, but this didn't
        seem to occur.

        
        The kernel/SELinux/audit packages on this CentOS6.7 machine,
        assuming that these are relevant, under this test were:

        
        kernel-2.6.32-573.3.1.el6.x86_64

        selinux-policy-targeted-3.7.19-279.el6_7.4.noarch

        audit-2.3.7-5.el6.x86_64

        
        Is this a known "feature" of the way permissive mode is meant to
        work, and/or is there some other way to flush what I presume to
        be the cached AVC status?

        
        -- 
Ted Rule

Director, Layer3 Systems Ltd


http://www.layer3.co.uk/


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux