On 01/07/2010 03:43 PM, Stephen Smalley wrote: > On Thu, 2010-01-07 at 15:37 -0500, Hasan Rezaul-CHR010 wrote: >> Hi All, >> >> I have a C application task called "sswd" on my Linux system, that >> opens up the /var/log/audit/audit.log file every 5 seconds, and checks >> to see if there are any new AVC denies. >> >> I have had this same task doing the same thing for the last few years >> on a Linux system running selinux. And I have never seen these events >> in audit.log before complaining about the sswd task... I used to use >> older selinux packages, and ran the Fedora Core 7 'strict' policy >> together with some custom policies. >> >> Recently we upgraded our SELinux packages to the very latest (similar >> to Fedora 12), and we are using Refpolicy as a base policy. >> >> In the /var/log/audit/audit.log file, I see the following event pop up >> every 5 seconds, and I am guessing its because "sswd" tries to open up >> the audit.log file every 5 seconds for reading. >> >> 1. Can you help me understand what this event is really saying? >> 2. I have already taken the audit.log file, and used audit2allow to >> generate any allow rules necessary, but it didnt help to get rid of >> this particular event. >> 3. Can I add any specific policy allow lines or transition rules in my >> custom policy files to get rid of this repeated event ? >> >> Thanks in advance. >> >> The event that pops up every 5 seconds in audit.log is: >> >> type=SYSCALL msg=audit(1262874266.422:260): arch=14 syscall=5 >> success=yes exit=24 a0=1002b9e4 a1=0 a2=1b6 a3=1b6 items=1 ppid=2463 >> pid=2794 auid=4294967295 uid=0 gid=601 euid=0 suid=0 fsuid=0 egid=601 >> sgid=601 fsgid=601 tty=(none) ses=4294967295 comm="sswd" >> exe="/usr/app/bin/sswd" subj=system_u:system_r:init_t:s0-s15:c0.c255 >> key="LOG_audit" >> type=CWD msg=audit(1262874266.422:260): cwd="/data" >> type=PATH msg=audit(1262874266.422:260): item=0 >> name="/var/log/audit/audit.log" inode=2061 dev=fd:07 mode=0100600 >> ouid=0 ogid=0 rdev=00:00 >> obj=system_u:object_r:auditd_log_t:s15:c0.c255 > > That's your audit configuration (/etc/audit/audit.rules), not SELinux. > You have an audit rule that says to log all access to the audit log > file, presumably copied from the sample audit rules for the CAPP or LSPP > configurations. Looks like this in audit.rules: > -w /var/log/audit/ -k LOG_audit > > I think you'd be better off using audispd to dispatch audit events to > your program rather than directly reading audit.log yourself. >> >> root@hapWibbSc2:/var/log/audit# ps -eZ | grep sswd >> system_u:system_r:init_t:s0-s15:c0.c255 2781 ? 00:00:00 sswd >> >> root@hapWibbSc2:/var/log/audit# cd /usr/app/bin >> root@hapWibbSc2:/usr/app/bin# ls -l sswd >> -rwxrwxr-x 1 root root 217204 Jan 1 07:49 sswd >> >> root@hapWibbSc2:/usr/app/bin# cd /var/log/audit/ >> root@hapWibbSc2:/var/log/audit# >> root@hapWibbSc2:/var/log/audit# ls -lZ >> -rw------- root root system_u:object_r:auditd_log_t:s15:c0.c255 >> audit.log >> >> >> You probably want to steal the code in sedisp in the setroubleshoot package, since this is exactly what it does. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
