SELinux tricks - auditallow

SELinux tricks - auditallow

Sometimes, you want to know when an SELinux rule is used, e.g. when/if sshd opens an authorized_keys file in a user home. You can use auditallow rule for that and check audit log:

# cat > auditsshd.cil
(auditallow sshd_t ssh_home_t (file (open)))

# semodule -i auditsshd.cil

Now when I log in using ssh I can see this records audit.log:

time->Tue Dec  8 14:36:42 2015

type=PROCTITLE msg=audit(1449581802.796:1871): proctitle=737368643A206261636872616473757369205B707269765D

type=PATH msg=audit(1449581802.796:1871): item=0 name="/home/bachradsusi/.ssh/authorized_keys" inode=3280290 dev=fd:03 mode=0100600 ouid=13567 ogid=13567 rdev=00:00 obj=unconfined_u:object_r:ssh_home_t:s0 nametype=NORMAL

type=CWD msg=audit(1449581802.796:1871):  cwd="/"

type=SYSCALL msg=audit(1449581802.796:1871): arch=c000003e syscall=2 success=yes exit=4 a0=5597b11cd1a0 a1=800 a2=1 a3=7fc72d95c2f0 items=1 ppid=17259 pid=17354 auid=4294967295 uid=0 gid=0 euid=13567 suid=0 fsuid=13567 egid=13567 sgid=0 fsgid=13567 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1449581802.796:1871): avc:  granted  { open } for  pid=17354 comm="sshd" path="/home/bachradsusi/.ssh/authorized_keys" dev="dm-3" ino=3280290 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file

Which can be read as:

A process with a title 'sshd: bachradsusi [priv]'; executed via '/usr/sbin/sshd' executable and running with an SELinux context system_u:system_r:sshd_t:s0-s0:c0.c1023; calls open() syscall on /home/bachradsusi/.ssh/authorized_keys path which has an SELinux context unconfined_u:object_r:ssh_home_t:s0; and access was granted.

Receive Updates