Re: "Missing" Audit logging in permissive mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/04/2015 08:54 AM, Ted Rule wrote:

Whilst trying to debug a Web application recently, I had cause to temporarily run the httpd_t domain in permissive mode in order
to work out what extra ACLs/Labels might be required.

In the audit log I noticed that there appeared to be very few AVC messages compared to the number of files and directories created and modified by the httpd_t domain within a user_home_t subtree.

Having built a little test-bed for the issue, I found that with the system in fully-enforcing mode, I got an AVC for every type of every file access denied, as expected.

However, in permissive mode, what seems to happen is that the audit contains only the first AVC corresponding to any given "policy quadruple" of Source Domain, Target Domain, Target Class and Permission. If I re-ran the test script, the audit log for the same events was quiet, even if I used different filenames.

If I run a different test trying "httpd_t, user_home_t, file, read" instead of "httpd_t, user_home_t, file, write" after having previously seen a single log entry for "httpd_t, user_home_t, file, read", then I DO see the "write" being logged, but again, it's only the first instance that gets logged.

If I turn the permissive mode off and on again, and re-run the tests, I get another single AVC in the audit log for each "policy quadruple".

My reading of the results I see so far is that the action of permitting but logging an action within the SELinux engine causes the corresponding "policy quadruple" to be somehow cached in the kernel state after the first log entry is created, but that subsequent actions are not logged if a cache entry already exists. This presumably relates to SELinux's Access Vector Cache, given what I read elsewhere.

One thought was that the quietness in the log was related to SELinux trying to avoid overloading auditd with messages, and that perhaps the cached state might timeout, but this didn't seem to occur.

The kernel/SELinux/audit packages on this CentOS6.7 machine, assuming that these are relevant, under this test were:

kernel-2.6.32-573.3.1.el6.x86_64
selinux-policy-targeted-3.7.19-279.el6_7.4.noarch
audit-2.3.7-5.el6.x86_64

Is this a known "feature" of the way permissive mode is meant to work, and/or is there some other way to flush what I presume to be the cached AVC status?


-- 
Ted Rule

Director, Layer3 Systems Ltd


http://www.layer3.co.uk/







--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

In an old blog

http://danwalsh.livejournal.com/3144.html

I talk about the difference between Permissive and Enforcing.
    • There is a couple of major differences with the way the kernel reports these avc messages.
  1. The kernel will only report the first access violation in permissive mode for a confined domain on a particular object, where as in enforcing mode, it will report each and every denied access.
  2. You can get many additional AVC messages that would never have shown up in enforcing mode. For example if a confined domain was not allowed to read a directory or any of the files in it. In enforcing mode the directory access would be denied and one AVC message would be generated. In Permissive mode, the directory access would generate an AVC, and each file read would generate an AVC.


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux