Stephen Smalley wrote:
On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
Eamon Walsh wrote:
The X object manager logs all avc's and status messages (including the
AVC netlink stuff) through the audit system using libaudit calls
(audit_log_user_avc_message, etc.) I disavow all responsibility for
the messages once they enter libaudit
It's being black-holed in rawhide. To see for yourself, add the
attached patch to the spec file and rebuild the xserver from SRPM. It
will tee the avc messages into /var/log/Xorg.0.log.
Looking at the corresponding code in dbus, I see that dbus is calling
both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
vsyslog(LOG_INFO...) with the message.
Should the X server do this also? Why does it need to be logged twice?
Can you verify that the X server was able to create the audit socket
successfully?
Yes, because when I actually install the audit package, things started
appearing in /var/log/audit/audit.log. I did not have the audit package
installed. Why isn't it redirecting to /var/log/messages in this case?
This is the behavior I was led to believe would happen, and this is what
happens with kernel AVC's.
Things that could go wrong:
- X server uses privilege bracketing (switching uids or capabilities)
and lacks the necessary audit capabilities.
- X server shuts down all descriptors _after_ you've opened the audit
socket, thereby closing it down too.
- Policy doesn't allow X server to write audit messages (requires
audit_write capability and netlink_audit_socket perms).
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
