On Tue, 2010-01-19 at 09:57 -0500, Steve Grubb wrote:
> On Tuesday 19 January 2010 04:33:31 am Göran Uddeborg wrote:
> > Daniel J Walsh:
> > > If you use ausearch -m avc to look for this avc, is there some info
> > > setroubleshoot might have dropped?
> >
> > It didn't miss anything. It just gave exactly the same info as in the
> > end of the SETroubleshoot message.
> >
> > (But looking at that and the surrounding events, I realised these
> > AVC:s happen when the machine goes down, not when it comes back up as
> > I first thought. That could be one more clue. I'll keep searching.)
>
> There are 2 general issues. Finding and fixing the current problem and having
> troubleshooting info for the next incident. To find the current issue, I think
> all you have to do is add any audit rule which will turn on full auditing.
> This should get the path record if one exists. You could add a rule like this
> to /etc/audit/audit.rules:
>
> -a always,exit -S personality
>
> and that should be one that never triggers.
>
> But going a step further for the next incident, I think that on capability
> denied decisions for: chown, dac_override, dac_read_search, fowner, fsetid,
> and linux_immutable, the object of the operation should be recorded and that
> would be a file or directory. Device and inode should suffice.
The issue with any cap_* check is that there is no "object of the
operation." Capabilities are really just checks for the process. I
think the only way to get it is going to be to make sure you have an
audit rule and you'd get a name record. I tend to use
-a exit,always -F arch=b32 -S kill -F pid=1
Which is sure to never trigger....
-Eric