• 1
Thanks for hints with `locate` and file access audit.

danwalsh , did you use any other `security enchanced` unix/linux toolsets? If yes and you have some time, may I ask you to share your experience, please?

It is sad to say, but in most environments where I was working SELinux on RH servers was disabled, reasons were like "server is in secure network", "it's hard to setup SELinux properly", "we have another security tool".

PS: check the formatting of the posts after sending it.
PPS: I'm happy to have you in my friends list and read your articles. Keep posting.

Here is a Fedora 12 message testing the chown capability with full auditing.

type=PATH msg=audit(01/20/2010 14:43:20.785:41253) : item=0 name=./capable_file/temp_file inode=841249 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:test_file_t:s0

type=CWD msg=audit(01/20/2010 14:43:20.785:41253) : cwd=/home/dwalsh/selinux-testsuite/tests

type=SYSCALL msg=audit(01/20/2010 14:43:20.785:41253) : arch=x86_64 syscall=fchownat success=no exit=-1(Operation not permitted) a0=ffffffffffffff9c a1=1687310 a2=2 a3=ffffffff items=1 ppid=5167 pid=5182 auid=dwalsh uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1110 comm=chown exe=/bin/chown subj=unconfined_u:unconfined_r:test_nofcap_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(01/20/2010 14:43:20.785:41253) : avc: denied { chown } for pid=5182 comm=chown capability=chown scontext=unconfined_u:unconfined_r:test_nofcap_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:test_nofcap_t:s0-s0:c0.c1023 tclass=capability

  • 1

Log in