June 24th, 2011

10 things you probably did not know about SELinux.. #7

#7 Does an SELinux Audit Log message always mean something was blocked?  NO

First off lets get rid of a misconception.  An SELinux AVC message consist of a single message in the audit log. 

This is false.   

SELinux messages in the Audit log usually consist of more then one record, and they don't even need to contain an AVC record.

SELinux is all about preventing syscalls, so if something gets denied you will usually see an SELinux message describing the AVC, as well as the SYSCALL.  If you have full auditing turned on, or the kernel has gathered path information, you could also get a PATH record as part of the overall audit record.

The way to view all the records within an AVC message is to use the ausearch -m avc command.

If you look at the SYSCALL record you will see a Name/Value pair with the name "success".  This field indicates whether they SYSCALL record actually succeeded or failed. "success=yes" indicates the syscall was successful.

I can think of 4 different situations where a SELinux message is generated and the SYSCALL record returns success=yes.
  1. The system is in permissive, meaning AVC's are recorded but not enforced.
  2.    > getenforce

  3. The process that caused the domain is a permissive domain (Latest Fedoras/RHEL6 only).  The AVC for this process type is not enforced. 
  4. > seinfo --permissive |grep SOURCETYPE

  5. An AVC was generated but the syscall still succeeded by going down a different code path within the kernel. This is not that common.
  6. An auditallow record was added to the policy. auditallow says to the kernel, generate an audit SYSCALL message any time this access is granted. Currently we do this with load_policy and setting booleans, setenforce.
type=SYSCALL msg=audit(06/23/2011 13:33:58.044:280) : arch=x86_64 syscall=write success=yes exit=1 a0=3 a1=7fff406c5ce0 a2=1 a3=0 items=0 ppid=4408 pid=4546 auid=dwalsh uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=setenforce exe=/usr/sbin/setenforce subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=MAC_STATUS msg=audit(06/23/2011 13:33:58.044:280) : enforcing=1 old_enforcing=0 auid=dwalsh ses=4