"Missing" Audit logging in permissive mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Whilst trying to debug a Web application recently, I had cause to temporarily run the httpd_t domain in permissive mode in order
to work out what extra ACLs/Labels might be required.

In the audit log I noticed that there appeared to be very few AVC messages compared to the number of files and directories created and modified by the httpd_t domain within a user_home_t subtree.

Having built a little test-bed for the issue, I found that with the system in fully-enforcing mode, I got an AVC for every type of every file access denied, as expected.

However, in permissive mode, what seems to happen is that the audit contains only the first AVC corresponding to any given "policy quadruple" of Source Domain, Target Domain, Target Class and Permission. If I re-ran the test script, the audit log for the same events was quiet, even if I used different filenames.

If I run a different test trying "httpd_t, user_home_t, file, read" instead of "httpd_t, user_home_t, file, write" after having previously seen a single log entry for "httpd_t, user_home_t, file, read", then I DO see the "write" being logged, but again, it's only the first instance that gets logged.

If I turn the permissive mode off and on again, and re-run the tests, I get another single AVC in the audit log for each "policy quadruple".

My reading of the results I see so far is that the action of permitting but logging an action within the SELinux engine causes the corresponding "policy quadruple" to be somehow cached in the kernel state after the first log entry is created, but that subsequent actions are not logged if a cache entry already exists. This presumably relates to SELinux's Access Vector Cache, given what I read elsewhere.

One thought was that the quietness in the log was related to SELinux trying to avoid overloading auditd with messages, and that perhaps the cached state might timeout, but this didn't seem to occur.

The kernel/SELinux/audit packages on this CentOS6.7 machine, assuming that these are relevant, under this test were:

kernel-2.6.32-573.3.1.el6.x86_64
selinux-policy-targeted-3.7.19-279.el6_7.4.noarch
audit-2.3.7-5.el6.x86_64

Is this a known "feature" of the way permissive mode is meant to work, and/or is there some other way to flush what I presume to be the cached AVC status?


-- Ted Rule Director, Layer3 Systems Ltd http://www.layer3.co.uk/


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux